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CHABAUTY WITHOUT THE MORDELL-WEIL GROUP 


MICHAEL STOLL 


Abstract. Based on ideas from recent joint work with Bjorn Poonen, we describe an 
algorithm that can in certain cases determine the set of rational points on a curve C, given 
only the p-Selmer group S of its Jacobian (or some other abelian variety C maps to) and the 
image of the p-Selmer set of C in S. The method is more likely to succeed when the genus 
is large, which is when it is usually rather difficult to obtain generators of a finite-index 
subgroup of the Mordell-Weil group, which one would need to apply Chabauty’s method in 
the usual way. We give some applications, for example to generalized Fermat equations of 
the form x 5 + y 5 = z p . 


1. Introduction 

When one is faced with the task of determining the set of rational points on a (say) hyperel- 
liptic curve C: y 2 = f(x), then the usual way to proceed is in the following steps. We denote 
the Jacobian variety of C by J, and we assume that / has odd degree, so there is a rational 
point at infinity on C, which eliminates possible shortcuts that can be used to show that a 
curve does not have any rational points. 

1. Search for rational points on C. 

This can be done reasonably efficiently for ^-coordinates whose numerator and denomi¬ 
nator are at most 10 5 , say. Rational points on curves of genus > 2 are expected to be 
fairly small (in relation to the coefficients), so the result very likely is C(Q). It remains 
to show that we have not overlooked any points. 

2. Compute the 2-Selmer group Sel 2 J [StoOl]. 

The ‘global’ part of this computation requires arithmetic information related to class group 
and unit group data for the number fields generated by the roots of /. If the degrees of the 
irreducible factors of / are not too large (and the coefficients are of moderate size), then 
this computation is feasible in many cases, possibly assuming the Generalized Riemann 
Hypothesis to speed up the class group computation. The ‘local’ part of the computation 
is fairly easy for the infinite place and the odd finite places, but it can be quite involved 
to find a basis of J(Q 2 )/2J(Q 2 ). 

To proceed further, we need the resulting bound r for the rank of J(Q), 

r = dim F2 Sel 2 J — dim Fa J(Q)[2], 

to be strictly less than the genus g of C. By work of Bhargava and Gross [BG13] it is 
known that the Selmer group is small on average, independent of the genus, so when g is 
not very small, this condition is likely to be satisfied. 
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3. Find r independent points in J(Q). 

We can use the points on C we have found in Step 1 to get some points in J(Q). However, 
it can be quite hard to find further points if the points we get from the curve generate a 
subgroup of rank < r. There are two potential problems. The first is of theoretical nature: 
the rank of J(Q) can be strictly smaller than r, in which case it is obviously impossible 
to find r independent points. Standard conjectures imply that the difference between r 
and the rank is even, so we will not be in this situation when we are missing just one 
point. In any case, if we suspect our bound is not tight, we can try to use visualization 
techniques [BF06] to improve the bound. The second problem is practical: some of the 
generators of J(Q) can have fairly large height and are therefore likely to fall outside our 
search space. When the genus g is moderately large, then we also have the very basic 
problem that the dimension of our search space is large. 

To proceed further, we need to know generators of a finite-index subgroup G of J(Q). 

4. Fix some (preferably small) prime p (preferably of good reduction) and use the knowledge 
of G to compute a basis of the space V of Q p -defined regular differentials on C that kill the 
Mordell-Weil group J(Q) under the Chabauty-Coleman pairing (see for example [Sto06]). 
This requires evaluating a bunch of p-adic abelian integrals on C, which (in the case of 
good reduction with p odd) can be done by an algorithm due to Bradshaw and Kedlaya 
and made practical by Balakrishnan [BBK10]. 

5. Find the common zeros of the functions P t —lu on C*(Q p ), where u runs through a 
basis of V. 

The rational points are among this set. If there are additional zeros, then they can usually 
be excluded by an application of the Mordell-Weil sieve [BS10]. 

The most serious stumbling block is Step 3, in particular when the genus g is of ‘medium’ 
size (say between 5 and 15), so that Step 2 is feasible, but we are likely to run into problems 
when trying to find sufficiently many independent points in the Mordell-Weil group. 

In this paper we propose an approach that circumvents this problem. Its great advantage 
is that it uses only the 2-Selmer group and data that can be obtained by a purely 2-adic 
computation. Its disadvantage is that it may fail: for it to work, several conditions have to 
be satisfied, which, however, are likely to hold in particular when the genus gets large. 

Generally speaking, the method tries to use the ideas of [PS 14] (where it is shown that 
many curves as above have the point at infinity as their only rational point) to deal with 
given concrete curves. Section 2 gives a slightly more flexible version of one of the relevant 
results of this paper. In Section 4, we formulate the algorithm for hyperelliptic curves of odd 
degree that is based on this key result. The method will apply in other situations as well 
(whenever we are able to compute a suitable Selrner group), and we plan to work this out in 
more detail in a follow-up paper for the case of general hyperelliptic curves and also for the 
setting of ‘Elliptic Curve Chabauty’, where one wants to find the set of fc-points P on an 
elliptic curve E defined over a number field k such that f(P) G P 1 (Q), where /: E —» P 1 is 
a non-constant fc-morphism. One application in the latter setting is given at the end of this 
paper. The approach has also already been applied in [FNS16] to complete the resolution of 
the Generalized Fermat Equation x 2 + y 3 = z 11 . 

2 


One ingredient of the algorithm is the computation of ‘halves’ of points in the group J(Q 2 ). 
In Section 5 we give a general procedure for doing this in J(k), when J is the Jacobian of 
an odd degree hyperelliptic curve and k is any held not of characteristic 2. In Section 6, we 
demonstrate the usefulness of our approach by showing that the only integral solutions of 
y 2 — y = x 21 — x are the obvious ones. 

In Section 7, we show how our method leads to a fairly simple criterion that implies the 
validity of Fermat’s Last Theorem for a given prime exponent. This does not lead to any 
new results, of course, but it gives a nice illustration of the power of the method. In Section 8, 
we then apply our approach to the curves 5 y 2 = Ax p + 1. Carrying out the computations, we 
can show that the only rational points on these curves are the three obvious ones, namely 
00 , (1,1) and (1, —1), when p is a prime < 53 (assuming GRH for p > 23). A result due 
to Dahmen and Siksek [DS14] then implies that the only coprime integer solutions of the 
Generalized Fermat Equation 


x 5 + y 5 = z p 


are the trivial ones (where xyz = 0). 

As already mentioned, we end with another type of example, which uses the method in the 
context of ‘Elliptic Curve Chabauty’ to show that a certain hyperelliptic curve of genus 4 
over Q has only the obvious pair of rational points. The Mordell-Weil rank is 4 in this case, 
so no variant of Chabauty’s method applies directly to the curve. 


Acknowledgments. I would like to thank Bjorn Poonen for useful discussions and MIT for 
its hospitality during a visit of two weeks in May 2015, when these discussions took place. 
All computations were done using the computer algebra system Magma [BCP97]. 


2. The algorithm 

In this section we formulate and prove a variant of |PS14, Proposition 6.2], We then use it 
to give an algorithm that can show that the set of known rational points in some subset X 
of the p-adic points of a curve already consists of all rational points contained in X, using 
as input only the p-Selmer group of the Jacobian of the curve. The idea behind this goes 
back to McCallum’s paper [McC94], 

Let k be a number held, let C/k be a nice (meaning smooth, projective and geometrically 
irreducible) curve of genus g > 2 and let A/k be an abelian variety, together with a map 
i: C —> A such that A is generated by the image of C (for example, A could be the Jacobian 
of C and i the embedding given by taking some ^-rational point P 0 £ C(k) as basepoint). 
Fix a prime number p. We write Sel p A for the p-Selmer group of A. Recall that this is 
defined as the kernel of the diagonal homomorphism in the commuting diagram with exact 
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rows 


0 


H\k,A)[p\ 


0 


0 


m 

pA(k) 



A(k v ) 

pA(k v ) 


s 


s 


H\k,A[p ]) 



]_H\k v ,A\p}) - ^Y[H\k v ,A)\p\ 


0 


that is induced by applying Galois cohomology to the short exact sequence 

0 —y A[p\ —y A-^A —y 0 

of Galois modules over k and over all completions k v of k, so the products in the second row 
run over all places v of k. The vertical maps are induced by k ^-y k v . In particular, for each 
place v there is a canonical map Sel p (kl) —y A(k v )/pA(k v ). 

We write k p = k®QQ p ; this is the product of the various completions of k at places above p. 
The set C(k p ) and the group A{k p ) can similarly be understood as products of the sets 
or groups of /q-points, for the various v \ p. The inclusion k <—y k p induces natural maps 
C(k) ^-y C(k p ) and A(k) < —y A{k p ). Let X C C(k p ) be a subset (for example, the points in a 
product of u-adic residue disks). We then have the following commutative diagram of maps. 


C[k) fl X c 


X<- 


C(k) — i -^- A(k) 

-~\ r\ 

C(k p ) -U A{k p ) 



pA(k p ) 


We introduce some more notation. For P G A(k p ), we set 

(2.1) q(P) := {*■„«) : Q 6 A(k p ),3n > 0: p”Q = i 5 } C 

and for a subset S C A(k p ), we set q(S) = [j P£S q(P). We further define 

u{P) := sup{n : n > 0, P G p n A(k p )} G Z> 0 U {oo}. 

Note that v(P) = oo is equivalent to P having finite order prime to p\ on the complement 
of the finite set consisting of such P, v and q are locally constant. 

With a view toward further applications, we first state a more general version of our result, 
which we will then specialize (see Theorem 2.6 below). We remark that C could also be a 
variety of higher dimension here. 

Theorem 2.1. In the situation described above, fix some subgroup T C A(k) and assume 
that 

(1) kercr C <5(7r(T)) ; and that 

(2) q(i(X) + T) n im(cr) C 7r p (T). 

Then i[X D C(k)) C T := {Q G A{k) :3n>l:nQeT}. 
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Proof. Let P E X D C(k). We show by induction on n that for each n > 0, there are T n E T 
and Q n E A{k) such that i(P) = T n + p n Q n . This is clear for n = 0 (take T 0 = 0 and 
Qo = i(P))- Now assume that T n and Q n exist. Note that vr p (Q n ) E q(i{P) — T n ), so 

7 Tp(Qn) = a(6(7r(Q n ))) E q(i(X) + T) fl im(cr); 

by (2) this implies cr(d(7r(Q n ))) E 7T p (r) = cr(5(7r(T))). This shows that Q n E T+ker(cro5o7r). 
By (1) and since 6 is injective, we have 

ker(a o 6 o 7 r) = 7r" 1 (5” 1 (ker cr)) C 7r _1 (7r(r)) = T + ker7r = T + pA(k), 

which implies that Q n E T + pA{k). So there are T' E T and Q n +i E A(k ) such that 
Qn = T' + pQ n+ 1 . We set T n+1 =T n + p n V E T; then 

i(P) =T n + p n Q n = T n + p n (T' + pQ n+1 ) = T n+ i + p n+1 Q n+1 . 

Now consider the quotient map A{k ) -» A(k)/T. Since f is saturated in the finitely 
generated group A(k), the quotient group is torsion free and hence free. Observe that for 
every n > 0, 

mP)) = ip(T n +p n Q n ) = V>(T n ) +p n fj(Q n ) = p n if{Qn) E p n (A(k)/T), 
which implies that if(i(P)) = 0 and so i(P) E F. □ 


The point of formulating the statement in this way (as compared to [PS 14]) is that we 
avoid the use of p-adic abelian logarithms, which would require us to compute p-adic abelian 
integrals, usually with p = 2 and in a situation when the curve has bad reduction at 2. 
Instead, we need to be able to compute q(P) for a given point P, which comes down to 
finding its p-division points. At least in some cases of interest, this approach seems to be 
computationally preferable. 


Remark 2.2. Instead of considering multiplication by p, we could use an endomorphism if 
of A that is an isogeny of degree a power of p and such that some power of if is divisible 
by p in the endomorphism ring of A. We then consider A(k)/ifA(k), A(k p ) / if A(k p ) and the 
'0-Selmer group Sel,/, A. Note that when if: A —> A' is any isogeny whose kernel has order a 
power of p and with dual isogeny if, then we can consider Ax A' with the endomorphism 
if: (P,P r ) i —y (if{P'),if{P)), which satisfies if 2 = deg^ = p m , together with the morphism 
i: X —x A x A' , P h-x (*(P), 0). Taking T x {0} in place of T and writing the relevant maps 
as 


A(k) 


A(k) r s 
$(A'(k)) 


Sel A' —^ /fe) 

$( A '{k p )) 


and 


A'(k) 


A\k) r y 
if{A(k)) 


Sel,/, A 


A'(k p ) 
if{A(k p )) ’ 


the second condition in Theorem 2.1 translates into 


qA(i(X) + T) n im(cr) C cr(5(7r(T))) 


q A ’{pf l (f(X)) + A'(k) tors ) n im(cr') C ^(^(^'(^'(fc)^))). 
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Remark 2.3. The set Xni -1 (T) that contains C(k)DX when Theorem 2.1 applies can in many 
cases be determined by the usual Chabauty-Coleman techniques; see for example [Sto06]. 
Of course, if T is finite (and so f = kL(/c) t0 rs is hnite as well), which is usually the case in 
applications, then determining X 0 i _1 (r) is essentially trivial. 

We give some indication of how one can compute a set such as q(P + T), where P G A{fk p ). 
We assume that, given P G A(k p ), we can find all Q G A{k p ) such that pQ = P. 

Lemma 2.4. With the notations used in Theorem 2.1, fix a complete set of representatives 
R C T for T jpT. Let P G A(k p ) and set Q = {Q G A(k p ) : 3 T G R : pQ = P + T}. Define 
an equivalence relation on Q via Q ~ Q' •<==>■ Q — Qf G T, and let Qf be a complete set of 
representatives for <2/~. Then 

q(P + r) = {7i p (P + T):TeR}U (J q(Q + T). 

QoQ' 

Proof. Since Q + T = Qf + T whenever Q ~ Q', it is sufficient to prove the equality with Q in 
place of Qf. We first show that the set on the right is contained in the set on the left. This is 
clear for the elements 7r p (P + T), taking n — 0 in (2.1). So let now Q G Q and f G q(Q + T). 
Then there are n > 0, T' G T and Q' G A{k p ) such that p n Q' = Q + T' and 7r p {Q') = £. 
There is also T G T such that pQ = P + T. We then have 

p n+1 Q' = p(Q + T') = P+ (T + pT') G P + T 

and so f = n p (Q') G q(P + T). 

Now we show the reverse inclusion. Let f G g(P + T), so there are n > 0, T' G T, Qf G A{fk p ) 
such that p n Q' = P + T' and 7t p (Q') = f. There is also some T G R such that T — T' = pT" 
with T" G T. If n — 0, then f = 7r p (P + T') = n p {P + T ). If n > 0, we can write 

P + T = (P + T')+ pT" = p(p n ~ 1 Q' + T") = pQ 

with Q = p n ~ 1 Q' + T" G Q, and f = 7 r p (Q') G q(Q - T") C q(Q + T). □ 

Whenever sup u(P + T) < oo, the recursion implied by Lemma 2.4 will terminate, and so the 
lemma translates into an algorithm for computing q(P + T). We make this condition more 
explicit. 

Lemma 2.5. We write cl(T) for the topological closure ofT in A(k p ). Let P G A(k p ). Then 
sup u{P + T) = oo if and only if there is a point T G A(fk p ) of finite order prime to p such 
that P G T + cl(T). 

Proof. Let A[fk p )\ be the kernel of reduction (i.e., the product of the kernels of reduction 
of the various A{fk v ) with v a place above p) and let m denote the exponent of the hnite 

group A{fk p )/A{fk p )i. Then for all P G A[fk p ), p n mP tends to the origin as n — )* oo. If 

sup z/(P + T) = oo, then there are arbitrarily large n such there exist G T and Q n G A{fk p ) 
with P = 7 n +p n Q n , so mP — m^ n tends to the origin as n gets large. Then P — y n must be 
close to a point of order m; by restricting to a sub-sequence, we fold that P — approaches 
a point T G A{fk p )[m\. Since T is close to P — = p n Q for arbitrarily large n , T must be 

infinitely divisible by p, so the order of T is prime to p. We clearly have P G T + cl(T). 
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For the converse, it suffices to consider P in the closure of T, since the points of finite order 
prime to p in A[k p ) are infinitely p-divisible. Since any point sufficiently close to the origin 
is highly p-divisible, this implies that for each n > 0 we can find G T and Q n G A(k p ) 
such that P — 'jn = P n Qn • This is equivalent to sup v(P + T) = oo. □ 

We specialize Theorem 2.1 to the case that k — Q and i embeds the curve into its Jacobian. 
Let C be a proper regular model of C over Z p . Then the reduction map sends C(Q P ) = C(Z p ) 
to the set of smooth F p -points on the special fiber of C. The preimage D of a smooth F p - 
point on the special fiber of C under the reduction map is called a residue disk in C(Q p ); 
see [PS14], It follows from Hensel’s Lemma that there is an analytic map ip from the open 
p-adic unit disk to C such that D = <p(pZ p ). If p — 2, then we call the subsets <p(4Z 2 ) 
and ip(2 + 4Z 2 ) half residue disks. 

Theorem 2.6. Let C be a nice curve over Q, with Jacobian J. Let Po G C(Q) and take 
X C C(Q P ) to be contained in a residue disk or, when p = 2 and J(Q)[2] ^ 0 , in a half 
residue disk, and to contain Pq. Let i: C —>■ J be the embedding sending Po to zero. With 
the notation introduced above, assume that 

(1) kercr C J(7r(J(Q) tors )) ; and that 

(2) q(i(X) + J(Q)tors) H im(cr) C 7r p (J(Q) tors ). 

Then C(Q) D X = {P 0 }. 

Proof. We apply Theorem 2.1 with k — Q, C our curve, A = J, i as given in the statement 
and T = f = J (Q)tors• This tells us that i(C(Q) D X) C J(Q) to r S - If p > 2 or p = 2 and 
J(Q)[2] = 0, then the only rational torsion point in the kernel of reduction of J(Q p ) is the 
origin, which implies that there cannot be two distinct points in X both mapping to torsion 
under i. If p = 2 and J(Q)[2] 0, then the corresponding statement is true if X is a half 

residue disk, which means that i(X) is contained in JL 2 , the second kernel of reduction; see 
Section 3 below. In both cases, we find that there is at most one rational point in X; since 
Po is on e such point, it must be the only one. □ 

This leads to the following algorithm. It either returns FAIL or it returns the set of rational 
points on the curve C. We refer to [Sto07] for the definition of the p-Selmer set Sel p (C) of 
the curve C. Given an embedding i of C into its Jacobian J, it can be interpreted as the 
subset of Selp(J) consisting of elements that locally come from points on the curve. 

Algorithm 2.7. 

Input: A nice curve C , defined over Q, with Jacobian J. 

A point Po G C(Q), defining an embedding i: C —^ J. 

A prime number p. 

Output: The set of rational points on C , or FAIL. 

1. Compute the p-Selmer group Sel p J and the p-Selmer set Sel^C; 
i induces a map : Sel p C Sel p J. 

2. Search for rational points on C and collect them in a set C'(Q)known- 

3. Let cr: Sel V J —> J(Qp)/pJ(Q p ) be the canonical map. 

If kercr <2 Q)tors)), then return FAIL. 
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4. Let R be the image of J(Q)tor S in J(Q P )/pJ(Q P )- 

5. Let X be a partition of C(Q P ) into residue disks whose image in J(Q p )/ pJ (Q p ) consists 
of one element and that are contained in half residue disks when p = 2 and J(Q)[2] ^ 0. 

6. For each X G X do the following: 

a. If X n C(Q) known = 0: 

If n p (X) C im(cr o A), then return FAIL; 
otherwise continue with the next X. 

b. Pick some Pi G C'(Q)known D X. 

c. Compute Y = Upex.TeJ^to™ ?([ p ~ p i} +T)C J(Q P )/pJ(Q p ). 

d. If Y fl im(cr) <2 R , then return FAIL. 

7. Return C , (Q) know n- 

Proposition 2.8. The algorithm is correct: if it does not return FAIL, then it returns the 
set of rational points on C. 


Proof. First note that Step 3 verifies the first assumption of Theorem 2.6; it returns FAIL 
when the assumption does not hold. It is also clear that if the algorithm does not return 
FAIL, then the set it returns is a subset of C*(Q). We show the reverse inclusion. So let 
P G C(Q) be some rational point. There will be some X G X such that P G X. Then 
7T p (X) is contained in ini (cr o i*), so since the algorithm did not return FAIL, by Step 6a. it 
follows that X nC'(Q) knoW n 7 ^ 0 ; let Pi G X nC(Q) known as in Step 6b. Now by Step 6d. the 
second assumption of Theorem 2.6 is satisfied, taking the embedding with base-point Pi. So 
the theorem applies, and it shows that there is only one rational point in A", so P = Pi G 

C(Q) known- □ 

Remark 2.9. We note that in Step 6, the set X can be further partitioned if necessary. If there 
are several points in C(Q) known that end up in the same set A", then the second assumption 
of Theorem 2.6 cannot be satisfied. But it is still possible that the theorem can be applied 
to smaller disks that separate the points. (If the points are too close /radically, this will not 
work, though. In this case, one could try to use T + J(Q)tors hr the more general version of 
the theorem, where F is the subgroup generated by the difference of the two points.) 

There are also cases when it helps to combine several sets A into one. One such situation is 
when there are points in C(Q p ) that differ by a torsion point of order prime to p and such 
that only one of the corresponding sets X contains a (known) rational point. 

A particularly useful case is when C is hyperelliptic, A = J is the Jacobian of C. and we 
consider p = 2. There is an algorithm that computes 2-Selmer group Seh J , which is feasible 
in many cases, compare [StoOl]. We discuss this further in Section 4 below in the case when 
the curve has a rational Weierstrass point at infinity. 

Another useful case (using a slightly more general setting) is related to “Elliptic curve 
Chabauty”. Here A is the Weil restriction of an elliptic curve E over some number field k 
such that there is a non-constant morphism C —>■ E defined over k. We give an example of 
this in Section 9. 
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3. Computing the image under q of a disk 

In this section, we discuss in some detail how to find the image under q of (the image in J 
of) a residue disk of C(k p ). The basic idea is that q is locally constant on the curve even 
near points where v becomes infinite (a variant of this was already used in [PS14]). To get a 
practical algorithm out of this idea, we have to produce an explicit neighborhood on which 
q is constant. We will do this first away from the points where v becomes infinite and then 
also on residue disks centered at a point where v becomes infinite. 

Since objects over k p are products of objects over the various completions k v at places v 
above p, we will now work over a fixed such completion. We fix a non-constant morphism 
i: C —» J, where J can be any abelian variety that is spanned by i{C). To ease notation, 
we write tt instead of tt v for the map J(k v ) —> J (k v ) /pJ (k v ). 

We assume that we can compute q(P) for any given point P G J(k v ) that is not (too close to) 
a point of finite order prime to p. When p = 2 and C is hyperelliptic of odd degree and J is 
the Jacobian, this can be done by using the halving algorithm of Section 5 below: we compute 
the image of P in L 2 and record it; if the image is trivial, then we compute all halves of P 
and apply the same procedure to them. Since by assumption P is not infinitely 2-divisible, 
the recursion will eventually stop with an empty set of points still to be considered. 

The following is essentially immediate from the definitions. 

Lemma 3.1. Let Pi,Pi G J(k v ) and assume that P 1 = P 2 ^ 0 mod p m+1 J(k v ). Then 
v{P\) = v(P 2 ) and q(P 1 ) = q(P 2 ). 

Proof. The assumptions imply that P\ , P 2 ^ p m+1 J (k v ) , so whenever there are Q G J(k v ) and 
n > 0 such that p n Q = P\ or P 2 , then n < m. Let P' G J(k v ) such that P 2 = P\ + p m+1 P'. 
Then p n Q = P\ implies p n {Q + p m+1 ~ n p ,s j = p 2? S o that v(P 2 ) > v(P\), and by symmetry, 
we obtain equality. 

Let £ G q{Pi)‘, then £ = 7 t(Q) for some Q such that p n Q = P\ as above. Then n < m and so 
£ = 7 t(Q) = 7 t(Q y pm+i-np') y g(P 2 ) as well. This shows that q{P\) C q(P 2 ); the reverse 
inclusion follows again by symmetry. □ 

We write O v for the ring of integers in k v and w for a uniformizer. We abuse notation and 
write v: k* —> Z for the additive valuation, normalized such that v(w) = 1. Then e = v(p) 
is the absolute ramification index of K v . We fix a proper regular model C of C over O v . Let 
J be the Neron model of J over O v . For n > 1, we denote by 

K n := ker (j(k v ) = J{O v ) J(O v /w n O v )) 

the ‘higher kernels of reduction’; K n is also the group of w n O v - points of the formal group 
associated to J . 

We now fix a residue disk D C C(K V ) with respect to C ; we will denote an analytic param¬ 
eterization D 0 > D by Lp, where D 0 is the open unit disk. Since i induces a morphism from 
the smooth part of C to J. it follows that 

(3.1) t,t r G mO v , v(t — t')>m => i(tp{t)) — i(ip(t')) G K m . 
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The formal logarithm converges on K\ and gives a homomorphism K\ —> k dimJ . Restricted 
to K m with m > e/(p — 1), the formal exponential provides an inverse, so that the formal 
logarithm gives an isomorphism K m —y (zu m O v ) dimJ . It follows that pK m = K m+e ; in 
particular, 

(3.2) K ne+m = p n K m C p n J(k v ) for all n > 0. 

This implies together with (3.1) that for m as above and n > 0, 

(3.3) t, t' G wO v , v(t — t')>ne + m =>- i(p(t)) = i(ip(t')) mod p n J(k v ). 

In the following we write p for |_e/(p — 1)J + 1; this is the smallest choice of m in the 

considerations above. If k v = Q p (or, more generally, an unramified extension of Q p , so that 
e = 1 ), then p = 1 when p is odd, and p = 2 when p = 2 . 

Corollary 3.2. Consider cp: Do —>■ D C C{k v ) as above, and let to G wO v be such that 

u(i(p{t 0 ))) < n. Then for all t with v(t — to) > e(n + 1) + p, we have 

= K*(<^o))) and q(i(ip(t))) = q{i{<p(t 0 ))). 

More generally, let T C J(Q 2 ) be a subgroup. If max i/(f(<^(f 0 )) + T) < n, then for all t with 
v{t — t 0 ) > e(n + 1 ) + p, we have 

ma xv(i(p{t)) + T) = max v(i(p(t 0 )) + T) and q(i(<p(t)) + T) = q(i(<p(t 0 )) + T). 

Proof. By (3.3), we have i((p(t)) = i(p{t 0 )) mod p n+l J(k v ). The first claim now follows from 
Lemma 3.1. The second claim follows from the first by considering i(p(t)) +7 for each 7 6 T 
separately, and applying the first claim to the shifted embedding P 1 —>■ i (P) + 7 . □ 

If the image of the disk D in J does not contain a point of finite order prime to p , then v will 
be boTinded on D. Corollary 3.2 then provides a partition of D into finitely many sub-disks 
such that qoi is constant on each of them. In this way, we can compute q{i(D)). In a similar 
way, this allows us to compute q[i{D) + T) if i(D) does not meet cl(T) + J(k v )[p'], where 
G[p'\ denotes the subgroup of an abelian group G consisting of elements of finite order prime 
to p\ compare Lemma 2.5. 

We now consider the situation when D contains a point Pq such that i(Po) £ J(k v )[p']. In 
this case, the result above will not produce a finite partition into sub-disks, so we need 
to have an explicit estimate for the size of the pointed disk around Po on which q o i is 
constant. Without loss of generality, i(Po) = 0. We also assume that <^(0) = Po, so that 
*( 79 ( 0 )) = 0 G J. 

In the following, we write ntors for the smallest n > 0 such that J{k v )[p°°] C J[p n ]. In other 
words, p ntois is the exponent of the p-power torsion subgroup J(k v )[p°°). 

Lemma 3.3. Let P G J(k v ). 

(1) //n to rs = 0, then u(pP) = v(P) + 1 and q(P) C q(pP) C q(P) U {0}. 

(2) v(P) > n t 0 rs, then v(pP) = n(P) + 1 and q(pP) = q(P). 
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Proof. Since p n Q = P implies p n+1 Q = pP, the inclusion q(P) C q(pP) is clear, as is the 
inequality v(pP) > v(P) + 1, for arbitrary P. 

First assume that n t0 rs = 0. Consider £ G g(pP), so there are Q G J{k v ) and n > 0 such 
that p n Q = pP and tt(Q) — £. If n — 0, then £ = tt(Q) = tt( pP) = 0. If n > 1, then we 
must have p n ~ l Q = P (since there is no nontrivial p-torsion), so £ = 7 t(Q) G q(P)- Taking 
n = v(pP) shows that v(P) > u(pP) — 1. 

Now assume that z/(P) > n tors and write P = p nt ° rs + 1 p 0 for Pq G J(k v ). We first show that 
7 T(T (kf) [p°°]) C q(P). For this, let T G J(k v )\p°°] = J(k v )(p ntOTB ]. Then p ntors (T + pP 0 ) = P, 
so vr(T) = 7 r(T + pP 0 ) e g(P) by ( 2 . 1 ). 

To show that q(pP) C g(P), let £ G q(pP), so there are some Q G J(/c„) and n > 0 

with tt(Q) = £ such that p n Q = pP = p" tors+ 2 P 0 . If n < n t0 rs + 1, then it follows that 

Q = p n ^+ 2 ~ n p 0 + T with T G J(k v ) [p°°], so £ = 7t(<2) = 7t(T) G g(P) by the argument 
above. If n > n tOTS + 2, then p n ~ ntoia ~ 2 Q = p 0 -f p with T G J(/c^)[p ntors ], and therefore 
p n ~ l Q = p n t°r S +ip o = P 5 so £ = 7 t(<5) G g(P). Carrying out this argument with n = v{pP ) 

and a suitable Q, we also get that z/(P) > z/(pP) — 1. □ 


For m>lwe define 


N(m) = 1 + min | 


/cm — w(/c) — // 


fc > 2 


Then N(m)e > 2m — a for some constant a. 

Lemma 3.4. Assume that v(t) — m > 1. Then 

p • z(<p(i)) = i((p{pt)) mod p^M J(k v ). 


Proof. In terms of formal group coordinates, we can write 

l°gji(¥>(t)) = cii + yt 2 + yh 3 + ... 

with ci, c 2 , c 3 ,... G O dira J . We find that 

logy (pi (¥>(*)) - =plogji{<p(t)) - log ji(<p(pt)) 


= c 2 p -^e + C3—————P + c/- 






by the dehnition of N(m). We have that 

P ' ^ pPm T P-m+e Pm+e ^ Pfii 

so we are in the domain of the isomorphism induced by the formal logarithm, which allows 
us to conclude that pi(ip(t)) — i(ip(pt)) G iCv(m)e+/*■ The claim then follows from (3.2). □ 

Corollary 3.5. If we havep = 2 and e = 1 (which is the case when k v = Q 2 J in the situation 
of Lemma S.f, then 

2 i(ip(t)) = i(ip(2t)) mod 2 2 m ” 2 J(Q 2 ). 

If in addition C is hyper elliptic, <p(0) is a Weierstrass point and <p(—i) = t(ip(t)), where i is 
the hyperelliptic involution, then 

2i(ip(t)) = i(ip(2t)) mod 2 3 m_ 1 J(Q 2 ). 
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Proof. If p = 2 and e — 1, then p = 2 and so N(m) = 2m — 2 in Lemma 3.4 (the minimum 
is attained for k = 2 ). 

Under the additional assumptions on C and <p, it follows that logj o % o p is odd, so that 
C 2 n = 0 for all n > 1 in the proof of Lemma 3.4.. We then obtain the better bound in the 
same way as in that proof, noting that we can restrict to odd k (which have v(k) = 0 ). □ 

For our fixed ip and i, we define, for m > 1, 

n m := ma x{v(i(p(t))) : t G wO v ,v(t) = m}. 

Lemma 3.6. There is some such that n m e <m + b for all m > 1. 

Proof. First note that i(<p(t)) G K rn+a \K m+a + 1 for some hxed a when m is sufficiently large, 
where a is the valuation of C\ in the proof of Lemma 3.4 above. 

Next, let a' denote the p-adic valuation of the exponent of the (finite) quotient group 
J(k v )/K /Jj . Then for n > p and P G K n \ K n+ll we have u(P)e < n — p + a!e. To see 
this, write P = p p(yP ^Q for some Q G J(k v ); assume u(P)e > n — p + a'e. Then p a 'Q maps to 
an element of order prime to p in J(k v )/K fl , and since P = p u ( p )~ a ( p a Q) g it follows 
that p a 'Q G K tJ (its class in J{k v )/K^ has order prime to p and a power of p at the same 
time, so it must be zero). This in turn implies, using (3.2), 

P = p^Q = p^~ a ' ■ 0 p a 'Q ) G K, +{y{P) _ a , )e C K n+1 , 

a contradiction. So v(P)e < n — p + a'e as claimed. 

Finally, combining these arguments, we see that n m e < m + (a + a'e — p) for large m, which 
implies the claim. □ 

Lemma 3.7. Let mo = 1 if n tOTS = 0 and mo = n tors e + p + e otherwise. There is some 
m > mo such that N(m ) > n m + 1. For any such m, we have have that 

q{i{p{{t : m < v(t) < 00 }))) = q{i(<p{{t : v(t) = m}))) U {0}. 

Proof. By Lemma 3.6, n m e < m + b for some 6 ; on the other hand, N(m)e > 2m — a for 
some a, so whenever m > a + b + e, the inequality N(m) > n m + 1 holds. Fix such an m 
that also satisfies m > mo- We now show that if v(t) = m, then 

v(i(<p(p n t))) = is(i(<p(t))) + n and q{i(p(p n t))) C q(i((p(t))) U {0} 

for all n > 0, which implies the claim (note that 0 G q(i(P)) if P is sufficiently close to Pq). 
Note that m > n to rs e + p + e implies n m > n tors + 1 by (3.3) (taking t' — 0). We proceed 
by induction on n, the case n — 0 being trivial. So consider n > 1. By the inductive 
assumption, we have 

u(i(p)(p n ~H))) = u(i(ip(t))) + n-l<n m + n-l and g(*(<p(p n-1 £))) Q q(i(ip(t))) U {0}. 

By Lemma 3.4, this implies p ■ i( y p(p n ~ 1 t)) = i(p(p n t)) mod p N ( m +( Tl ~ 1 ) e ) J(k v ) , and since 

N(m + (n — l)e) > N(m) + 2n — 2 > n m + n > u(i(ip(p n ~ 1 t))) + 1 

and n m > n t 0 r S + 1 in case n t0 rs > 0, by Lemmas 3.1 and 3.3 it follows that 

v{i(p(p n t))) = u(p ■ i(ip(p n ~ l t))) = u(i(Lp(p n ~ l t ))) + 1 = u(i(p(t))) + n 
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and 


q(i((p(p n t))) = q(p ■ i(tp(p n H))) C q(i((p(p n H))) U {0} C q{i(p{t))) U {0}. □ 

Corollary 3.8. If p = 2 and e = 1 in the situation of Lemma 3.7, then we take mo = 1 if 
Tutors = 0 and mo = n tors + 3 otherwise. There is then some m > mo such that 2m — 3 > n m . 
For any such m, we have have that 

q{i{p{{t : m < v(t) < oo}))) = q(i(cp({t : v(t) = m}))) U {0}. 

If the curve is hyperelliptic, P 0 = 93 ( 0 ) is a Weierstrass point and <p(—t) = t((p{t)), where t 
is the hyperelliptic involution, then the condition above can be replaced by 3m — 2 > n m . 

Proof. This follows again from p — 2 and N{m) > 2m — 2. The improved statement under 
the additional assumptions follows in the same way as for Corollary 3.5. □ 

This now allows us to find q(i(D)) when 0 G i{D). First we use Corollary 3.2 to determine 
q(i(<p({t : 1 < v(t) < mo — 1})))- Then for m = mo, mo + 1,..., we find in a similar way n m 
and q(i(ip({t : v(t) = m}))). As soon as n m + 1 < N(m), we can stop the computation; we 
then have q(i(D \ {To})) = : 1 < v(t) < m}))) U { 0 }. 

We state a special case for later use. 

Corollary 3.9. Assume that C is hyperelliptic, of good reduction mod 2, and satisfies 
J(Q 2 )[2] = 0 and J(F 2 )[ 2 ] = 0. Let P 0 € C(Q 2 ) ; choose a parameterization p of a residue 
disk D centered at Po and let ip 0 denote the embedding of C into J sending Po to 0. Then 

(!) <l(ip 0 ( D )) = 9 (*p 0 (t( 2 Z 2 X u 4 Z 2 ))) U{ 0 }, and 
(2) if Po is a Weierstrass point and (p satisfies (p(—t) = t(ip(t)), then 
q^Po(D)) = q(ip 0 (<p(27,%))) U {0}. 

Proof. Since k v = Q 2 , we are in the case p = 2 and e — 1. The assumptions on 2-torsion 
over Q 2 and over F 2 imply that n tor s = 0, which in turn implies that for P E K m \ K m+ll 
we have u(P) E {m — 2,m — 1}, for all m > 1, compare [PS14, Lemma 10.1] and its proof. 
Also, K\ has odd index in J(Q 2 ). We can therefore take b = — 1 in Lemma 3.6. Then m = 2 
is a suitable value in Corollary 3.8. When P 0 is a Weierstrass point, then by Corollary 3.8 
again even rn — 1 is sufficient. □ 

We now give a version of Lemma 3.7 that applies when we work with a subgroup T that does 
not consist of torsion points only. We restrict here to the case k v = Q 2 ; a general statement 
can be obtained and proved along the same lines, with changes similar to the statement and 
proof of Lemma 3.7. 

We let T C J(Q 2 ) be a subgroup such that T D 2J(Q 2 ) = 2T and such that cl(T) is not of 
finite index in J(Q 2 ). We define 

n m ,r '■= sup {u(i(<p(t)) + 7 ) : 7 E T,t E 2Z 2 ,v(t) = m}. 

Lemma 3.10. Let m 0 = 2 if n toIS = 0 and mo = n t ors + 3 otherwise. Assume that there is 
m > mo such that 2m — 3 > n m ^- For any such m, we have have that 

q(i(ip({t : m < v(t) < 00 })) + T) = q(i(ip({t : v(t) = m})) + T) U q(T). 
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If the curve is hyperelliptic, Pq = <p(0) is a Weierstrass point and <p(—t) = t(^p(t)), where l 
is the hyperelliptic involution, then the condition above can be replaced by 3 m — 2 > n m p. 


By standard Chabauty-Coleman, the intersection of i{D) with cl(r) is hnite. So for m 
sufficiently large, i(<p( 2 m Z 2 )) will meet cl(T) only in Pq, hence n m p < oo. So we can hope to 
find an m as in the lemma. It is conceivable, however, that the image of the curve meets cl(T) 
at i(Po) with higher multiplicity, in which case n m p may grow too fast with m. 

Proof. We show again inductively that if v(t) = m, then 

max v{i(tp(2 n t)) + T) = max v{i(<p(t)) + T) +n and q(i(ip(2 n t)) + T) C q(i(tp(t)) + T)Ug(T) 

for all n > 0 (note that g(T) C q(i(P) + T) if P is sufficiently close to Pq). The case n = 0 
is trivial. So consider n > 1. By the inductive assumption, we have 

max z/(i(<p( 2 n_ 1 f)) + T) = ma xv(i(<p(t)) + T) + n — 1 < n mi r + n — 1 

and 

q(i(y(2 n ~ l f)) + T) C g(i(<p(f)) + T) U q(T). 

By Corollary 3.5, we have 2i(ip(2 n ~ 1 t)) = z(<p(2 n t)) mod 2 2m+2n ~ 4 J(Q 2 ). So for every 7 6 T, 
we have 

2(i(p(2 n ~ 1 t)) + 7 ) = i(<p(2 n t)) + 2 7 mod 2 2m+2n ~ 4 J(Q 2 ). 

Since 

2m + 2n — 4 > n m ^ + n > v{i ((p(2 n ” 1 f)) + 7 ) + 1 
and n m) r > n to rs + 1 in case n t0 rs > 0, by Lemmas 3.1 and 3.3 it follows that 

v(i(ip(2 n t)) + 27 ) = z/( 2 (i(<p( 2 n " 1 t)) + 7 )) = v(i(<p{2 n ~ l t)) + 7 ) + 1 

and 

q(i(tp(2 n t)) + 27 ) = q(2(i(cp( y 2 n ~ 1 t)) + 7 )) C g(z(<p(2 n " 1 t)) + 7 ) U {0} C q(i(<p(t)) + T) U q(T). 
Now consider 7 G T \ 2T. Since i(tp(2 n t)) E 2 n+m ~ 2 J(Q 2 ) mid n + m — 2 > 1, we get 
i/(%(2 n t)) + 7 ) = 0 and g(i(<p(2 n t)) + 7 ) = {^( 7 )} C q(T). 

(We use here that 7 ^ 2J(Q 2 ).) Together, these relations imply that 

max u(i(ip(2 n t)) + T) = 111 a xu(i(<p(t)) + T) + n 

and 

<?(%(2 n t)) + T) C g(i(<p(f)) + T) U g(T) 

as claimed. 

The improved statement under the additional assumptions follows again in the same way. □ 
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4. Determining the set of rational points on odd hyperelliptic curves 


In this section, we specialize the algorithm formulated in Section 2 to hyperelliptic curves of 
odd degree over Q. So let 

C: y 2 = f(x) 

be a hyperelliptic curve, given by a squarefree polynomial / G Z[x] of odd degree 2g + 1 
(then g is the genus of C). We understand C to be the smooth projective model of the affine 
curve given by the equation; then C is a nice curve. We write J for the Jacobian of C. For 
a point P 0 G C'(Q) (or G(Q 2 )), we let ip 0 : C —> J denote the embedding that sends P 0 to 
the origin of J. 

To carry out one of the relevant steps, we must compute q(P) for points P G J( Q 2 ) (where 
q(P) is defined as above with p = 2). The basic strategy for this was explained in Section 3. 
To implement it, we need to be able to divide by 2 in J((Qj 2 ). We consider this problem in 
Section 5 below. 

We recall the algorithm for computing the 2-Selmer group of J, compare [Sch95,StoOl]. Let 
C be given by the affine equation y 2 = f{x) with / G Z[i] squarefree and of odd degree 2g + l, 
where g is the genus of C. Let L = Q [x\/(f) be the associated etale algebra and write 9 for 
the image of x in L. If A is any commutative ring, then we write A n for the group A x /(A x ) 2 
of square classes in the multiplicative group A x of A. 

For any field extension k of Q, there is an isomorphism 

(4.1) if 1 (fc,J[2])^ker(iV (i0Qfc)/fc : (L ® Q k) D -A k n ) 

realizing the Galois cohomology group on the left in a concrete way, and there is the ‘Cassels 
map’ or L x — T” map 

p k '. J{k ) —► J(k)/2J{k) ‘-A ( L® Q k) D 

that is induced by evaluating x — 9 (multiplicatively) on divisors whose support is disjoint 
from the set of Weierstrass points of C. The image of pk is contained in the kernel of 
the norm map above; pk is the composition of the connecting map 5k'- J{k ) —y p[ l [k , J[2]) 
induced by the exact sequence of Galois modules 

0 —> J[2} —>• J(k) -U J(k) —>■ 0 

with the isomorphism (4.1). We write p = pq, and for v a place of Q, we write L v = L<S>qQ v 
(with Qoo = M as usual) and set p v = pq v . 

Let S be the set of places of Q consisting of 2 and the finite places v such that the Tamagawa 
number of J at v is even. The subgroup L(£, 2) of L a consists of the elements represented 
by a G L x such that the fractional ideal generated by a has the form /(/ 2 with J 2 supported 
on the primes above primes in E. Then the isomorphic image of Sel 2 J in L a , which we will 
identify with Sel 2 J, is given by 

Sel 2 J = {£ G L(E, 2) : N l /q(£) = D,VdgEU { 00 }: p v (£) G im(p v )}, 

where p v : LP —> L ^ is the canonical map. There is also the 2-Selmer set of G, given by 

Sel 2 C = G L(E, 2) : 7V L/Q (£) = D,Vu: p„(0 G ^(^(^(Q,)))}- 
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It is a subset of the 2-Selmer group. The set of places v in the condition can be restricted 
to the set £ U { 00 } together with all ‘small’ primes, where ‘small’ in practice can be rather 
large; see [BS09]. 

Algorithm 2.7, combined with the representation of J(k)/2J(k) as a subgroup of (L< 8 )q k) n , 
then leads to the following. 

Algorithm 4.1. 

Input: A polynomial / G Z[x\, squarefree and of odd degree 2 g + 1. 

Output: The set of rational points on C : y 2 = f{x), or FAIL. 

1. Let J denote the Jacobian of C. Set L = Q[x]/(f). 

2 . Compute Sel 2 J and Sel 2 C as a subgroup and a subset of L a . 

3. Let L 2 = L 0q Q 2 ; let r: L a —» be the map induced by Q —* Q 2 . 

If kerr D Sel 2 J <2 J( 7 r(J(Q)[ 2 °°])), then return FAIL. 

4. Search for rational points on C and collect them in a set C'(Q)known- 

5. Let A be a partition of (7(Q 2 ) into residue disks whose image in consists of one element 
and that are contained in half residue disks when J(Q)[2] 7 ^ 0. 

6 . Let R denote the image of J(Q)[2°°] in L^. 

7. For each I 6 J do the following: 

a. If A n C(Q) known = 0: 

If /i 2 (A) C Sel 2 C, then return FAIL; 
otherwise continue with the next A. 

b. Pick some P 0 G C'(Q)known H A. 

c. Compute Y = n 2 (q(ip 0 (X ) + J(Q)[2°°])) C . 

d. If Y D r(Sel 2 J ) $7 R, then return FAIL. 

8 . Return ( ’( O)known• 

That the algorithm is correct is a special case of Proposition 2.8, taking into account that 
torsion points of odd order are infinitely 2 -divisible, which allows us to replace J(Q)tors 
with J(Q)[ 2 °°] at the places where the latter occurs. 

Remark 2.9 applies in the same way as to the general algorithm. 

Remark 4.2. We note that the (image of the) Selmer group in L a that is used in the algorithm 
can be replaced by any subgroup S of L a that contains it (and similarly for the Selmer set). 
For example, we can take 

S = G L(E, 2) : A l/q (0 = □, Vu G £ U { 00 } \ {2}: res,® G im(^)}, 

where £ is the set of ‘bad primes’ for 2-descent on J. This leaves out the 2-adic Selmer 
condition. Taking it into account requires the computation of /z 2 (J(Q 2 )), which is usually 
the most time-consuming step in the local part of the computation of Sel 2 J. We can do 
without it, since using S in the algorithm is actually equivalent to using Sel 2 J. To see this, 
first consider Step 3. Since all elements in the kernel of r satisfy the 2-adic Selmer condition 
trivially, it follows that kerr D S — kerr D Sel 2 J, so that the outcome of Step 3 is the same 
in both cases. Now consider Step 7a. This does not involve Sel 2 J, so its outcome is trivially 
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the same in both cases. Finally consider Step 7d. If Y D r(S) $2 R, then there is some 
s G S such that r(s) ^ R and r(s) G Y. But everything in Y is of the form /z 2 (Q) for some 
Q G J(Q 2 ), so Y C im(/i 2 ), which means that s satisfies the 2-adic Selmer condition. This 
shows that s G Sel 2 J and then implies that Y nr(Sel 2 J) 3 r(s) ^ R , so that the outcome of 
this step is again the same in both cases. The preceding arguments show that the algorithm 
fails on S if and only if it fails on Sel 2 J. Finally, it is clear that the result will be the same, 
namely C'(Q)k noW n, hi both cases when the algorithm does not output FAIL 

If £ C {2,p} with p ^ ±1 mod 8, then we can also leave out the condition Nl/q(£) = □, 
since then Q(£, 2) injects into Q°, so the norm condition is implied by the image under r 
being in Y. 

Of course, we can also use a subset of L that is possibly larger than Sel 2 C instead of the 
2-Selmer set. In fact, this is what we have to do in practice, since the computation of the 
exact 2-Selmer set usually requires taking into account the local conditions for all primes up 
to some bound that is exponential in the genus of C ; compare [BS09]. 

If we assume that C'(Q)known meets every set in X, then the other conditions required to 
avoid failure of the algorithm are likely to be satisfied. This follows from work of Bhargava 
and Gross [BG13], which we use in a similar way as in [PS14]: the ‘probability’ that the map 
Sel 2 J —> J(Q 2 )/2J(Q 2 ) is injective is at least 1 — 2 1_9_dimF 2 A® 2 )! 2 !, and the ‘probability’ that 
the image has intersection with Y contained in R is at least 1 — (#(Y / R) — 1)2 1 ~ 9 . Since by 
the results of [PS14] Y is usually small and by [Stol5] the size of Y modulo R is uniformly 
bounded by some constant times g 2 , there is a very good chance that both conditions are 
satisfied when g is large. 

5. Halving points on odd hyperelliptic Jacobians 

In this section we describe an algorithm that computes one ‘half’ or all ‘halves’ of a point 
P G 2J(k), where J is the Jacobian of a hyperelliptic curve C of odd degree over the field k. 
We assume that char(h) ^ 2, so that C can be given by an equation y 2 = f(x) with / G k[x] 
squarefree and of odd degree 2g + 1. 

Recall that each point in J(k) is uniquely represented in the form [D — doo], where D is an 
effective divisor in general position defined over k and d = deg D < g. An effective divisor D 
is said to be in general position if its support does not contain oo and D ^ P + t(P) for any 
point PgC, where t: C —> C is the hyperelliptic involution. 

Any effective divisor D in general position can be described by its Mumford representation 
( a,b ). Here a G k[x] is a monic polynomial of degree d = degP whose roots are the 
x-coordinates of the points in the support of D , with appropriate multiplicity (so that a 
corresponds to the image of D under the hyperelliptic quotient map to P 1 ), and b G k[x\ is 
another polynomial such that &(£) = g for any point P = (£,rj) in the support of D and 
satisfying a \ f — b 2 . This polynomial b is uniquely determined modulo a; in particular, we 
obtain a unique representation if we require deg (b) < d. However, it is sometimes useful to 
allow additional flexibility, so we will not always insist on this normalization. In fact, we 
may also want to allow polynomials a of larger degree (this leads to even more non-unique 
representations, but can be useful in certain situations). 
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We will use the notation (a, b ) to denote the divisor D, and we will write [a, b] = [(a, b) — doo] 
for the point on J corresponding to it. 

Let c be the leading coefficient of /. Then in terms of the Mumford representation, the 
descent map //: J{k ) —> L a is given by 

[a, b] > (-c) deg(a) a(d) • (L x ) 2 

if a and / are coprime. In the general case, write a\ and f\ for a and / divided by their 
(monic) gcd; then 

MMD = fi(a) := (-c) d *'(«>(a(S) - 0,(9)/,(9)) • (i x ) 2 ; 

compare [Sch95]. 

Since the kernel of p is 2J(k), this gives us a way of deciding whether a point P G J(fc) is 
divisible by 2 in J(k ): this is equivalent to the existence of a polynomial s 6 I[i] such that 

»(9) 2 = (-c)*«<*>(o(9)-a 1 (9)/ 1 (9)); 

equivalently, 

s 2 = ( _ c) deg(a) (a _ ai/i)mod f 

We will now state a result that shows how to compute a point Q G J{k) such that 2 Q = P, 
given such a polynomial s. 

Note that when a = afa 2 , then P = [a, b] is divisible by 2 if and only if P 2 = [ 02 , b] is, and 
each point Q such that 20 = P has the form Q = Q± + Q 2 where Q 2 satisfies 20 2 = I\ and 
Q 1 = [ai,6]. So we can assume that a is squarefree. 

Proposition 5.1. Let a G k[x\ be monic and squarefree, of degree < 2g + 1. Let d denote 
gcd(a, f), so that a = da\ and f = df\ as above. Suppose we have b,s G k[x] with 

f = b 2 mod a and (—c) deg (“)(a — Gq/i) = s 2 mod /, 

so that [a, b] G 2J(k). For polynomials u, v and w, consider the following system of congru¬ 
ences: 

(5.1) vd = ws mod / 1 , vd = ub mod ai, ufi = ws mod d. 

Then this system has a nontrivial solution (u, v, w ) with w monic such that 

(5.2) deg(w) < deg(a)/2, deg(n) < g + deg(a)/2 — deg(d) and deg(w) < g. 

Each such solution satisfies the relation 

(5.3) u 2 f\ = dv 2 — (— c) des ^aiw 2 . 

Now assume that ( u,v,w ) is a solution such that w has minimal degree. Let d\ = gcd(u,tc); 
then di divides fai and v. Write d, { = dfd a with dj = gcd(di,/) and d a = gcd(di,ai). Set 
Wi = w/di, Ui = u/di, V\ = v/di and let r G k[x\ be such that 

ru\ = —V\d mod W\d a and r = 0 mod df. 

Then Q = [w, r] satisfies P = 2 Q. 

If Q and Q' are computed starting from s and s' such that s' ^ ±s mod f, then Q and Q' 
are distinct. 
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Proof. First note that, since / is squarefree, we have that d and f\ are coprime. Also, d 
and a i are coprime, since a divisor in general position contains no ramification point with 
multiplicity 2 or more. So /i, aq and d are coprime in pairs and squarefree. The fact that a 
divides f — b 2 implies that d divides b and that d is also the gcd of a and b. 

The first claim is that the system of congruences has a nontrivial solution when the degrees 
of the polynomials are bounded as stated. To see this, note that the conditions are linear in 
(the coefficients of) u, v and w, and that the total number of coefficients of u, v and w is 

|~deg(a)/2] + (g + [deg(a)/2j - deg(d) + 1) + (g + 1) = 2g + deg(a) - deg(d) + 2 

= deg(/i) + deg(ai) + deg(d) + 1. 

On the other hand, the number of linear constraints is deg(/i) + deg(ai) + deg(d). So there 
are more variables than constraints, hence nontrivial solutions exist. 

We claim that w cannot be zero in such a solution. Otherwise, the first congruence would 
imply that fi divides v (since / 1; oq and d are coprime in pairs), which for degree reasons 
(recall that deg(a) < 2(7 + 1) is only possible when v — 0. In a similar way, the second 
congruence would then imply that aq divides u (since aq is coprime to b), whereas the third 
congruence implies that d divides u, so a divides u, which is only possible when u — 0. But 
then our solution is trivial, a contradiction. So w ^ 0, and without loss of generality, w can 
be taken to be monic. 

We show that every solution as above satisfies relation (5.3). Namely, by the first congruence 
and since s 2 = (— c) deg ^a mod fi, 

d 2 v 2 = (dv) 2 = ( sw ) 2 = s 2 w 2 = (—c) deg(a W = (—c) deg(a )(+j,u> 2 mod f u 

so (since d and f\ are coprime), the relation holds mod f\. Next, by the second congruence, 

d 2 v 2 = (dv) 2 = ( bu) 2 = b 2 u 2 = fu 2 = dfiu 2 mod a\ , 

so (since d and aq are coprime), the relation holds mod aq. Finally, by the last congruence, 

u 2 f 2 = ( ufi ) 2 = (sw) 2 = s 2 w 2 = — (— c) deg ^aifiw 2 mod d, 

so (since d and f\ are coprime again), the relation holds also mod d. It follows that it holds 
mod /icqd. Since the degrees of all terms are strictly less than the degree of /icqd, equality 
follows, and (5.3) is verified. 

We note that the fact shown above that a nontrivial solution has w ^ 0 implies that w 
determines the solution uniquely. It follows that there is in fact a unique solution with 
w monic and deg(tc) minimal. 

Since d is squarefree, (5.3) implies that the gcd di of w and u also divides v. We can therefore 
divide all three by this gcd, obtaining rq, V\ and w \; they satisfy 

u\h = dv{ - (-c) deg Wfl lU ;(. 

If some irreducible factor p of d\ does not divide /aq, then (u/p,v/p,w/p) also satisfy 
the system of congruences, contradicting the minimality of deg(w). Now assume that p 2 
divides d\ for some irreducible polynomial p. Then p divides /i, cq or d, say p \ aq (the 
other cases are analogous). Since aq is squarefree, the congruence vd = ub mod aq implies 
(■ v/p)d = (u/p)b modai, and so again ( u/p,v/p,w/p ) satisfy the system of congruences, 
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contradiction. So d\ is squarefree and must therefore divide aifid. In particular, we can 
write d\ = dfd a as claimed. 

Note that ( u\b ) 2 = u\f = iyid) 2 mod ai, so that ai divides {u\b — vid){u\b + v\d). We claim 
that d a = gcd(wife + Vid,a±). For this, consider an irreducible factor p of d a . If p divides 
u\b — v\d, then ( u/p,v/p,w/p ) are a solution, a contradiction. So p must divide u\b + v\d. 
Conversely, if p is any irreducible factor of a± that divides Uib + V\d, then (noticing that b is 
invertible mod ai) for p to divide ub — vd, it must necessarily divide u and v, so p \ d a - 

Ui is invertible mod W\, but also mod d a (since U\ and V\ are coprime as well — a\ is 
squarefree — and d a is coprime with fi and d). Furthermore, df is coprime with w\ (and of 
course also with d a ), for essentially the same reason. Therefore a polynomial r exists such 
that u±r = — v\d mod W\d a and r = 0 mod df. 

Now we consider the function 

0 = u{x)y — v(x)d(x) = df(x)d a (x) {u\{x)y — V\{x)d{x)) 

on C. Its divisor of zeros is 

2 (df, 0) + ((d a , b) + (d a , —&)) + ((d, 0) + (d a , —b) + (ai/ d a , b) + 2(uq, —r)) 

— (oi, b) + (d, 0) + 2 [(df, 0) + (d a , —6) + (wi, —r )) 

= (a, b) + 2(w, -r ). 

To see this, note that the norm in k[x\ of the last factor of 0 is u 2 f — v\d 2 = (— c) Aeg ^daiw\ 
and that u\b = v\d mod a\/d a and u\b = — v\d mod d a (and so also r = b mod d a ). Setting 
Q = [w,r], we therefore obtain 2 Q = P. 

We now show that Q determines s mod / up to sign. Given Q = [tu, r] such that 2 Q = P, 
there is a unique function (up to scaling) on C whose divisor is (a, b) + 2 (w,—r) — noo 
(where n = deg(a) + 2deg(tc)); this function must then be 0, which gives us u and v up to 
scaling; the relation u 2 fi = dv 2 — (— c) deg ^aw 2 then fixes them up to a common sign. Write 
df — dpdd with df 1 — gcd (df, fi) and dd = gcd(d/, d). In a similar way as above for d a , one 
shows that dp = gcd(tcis + uid, /i) and dd = gcd(wi/i + tcis, d). Since w\ is coprime with /, 
this determines s mod / via the congruences 

Wis = Vid mod fi/dp , w±s = —Vid mod dp, 
w\s = u\fi mod d/dd, w±s = —u\f\ mod dd- 

A common sign change of u and v (which is the only ambiguity here) results in a sign change 
of s. ' □ 

We can try to use the algorithm implied by Proposition 5.1 over a p-adic held. It will possibly 
run into precision problems when some of the roots of a get close to roots of / (but with the 
resultant of a and / still being nonzero, albeit p-adically small) or when the resulting point 
is represented by a divisor of lower degree or such that some points are close to the point 
at infinity. In practice, however, these problems occur fairly rarely. A possible remedy in 
such a case is to replace (a, b) by another representation (a', b') such that [a', b’\ = [a, b] and 
deg(a) > g. Writing / — b 2 = ac, we have [c — 2hb — h 2 a, —b — ha} = [a, b] for all polynomials h. 
Taking h to be constant already allows us to replace a by a polynomial a' that is coprime 
with / (and probably we can also arrange a' to be squarefree) and satisfies deg(a') < g + 1 
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if deg (a) = g. Another possibility is to consider points in a residue disk given by suitable 
Laurent series, perform the computation on the Laurent series and then specialize. 

Remark 5.2. In the context of computing q(P), the following observation can be useful. 
Given P = [a,b] with deg(a) < g + 1 and T = [h, 0] £ J(k)[ 2] with h \ f and deg(h) < g, 
we can use the method described in Proposition 5.1 to compute halves of P + T without 
first computing a representation of the sum. For simplicity assume gcd(a, /) = 1 (this can 
be arranged, see above). Then P + T = [ah,b'h\ where b'h = b mod a. There will be si 
and s 2 such that = (— c) deg ^ah mod f/h and = — (— c) deg ^a(f /h) mod h. We obtain 
the congruences 

vh = ws i mod f/h, vh = ub mod a, u(f/h) = ws 2 mod h 

with deg(u) < (deg(a) + deg(h))/ 2 , deg(n) < g + (deg(a) — deg(h ))/2 and deg(w) < g. 

In a similar way, we can divide P + P' by 2: let P = [a, b\, P' = [a',b'\ and assume that 
deg(a) + deg(a') <2g + l and that a, a' and / are coprime in pairs. Given a polynomial s 
such that s 2 = (—c) deg ( a ) +deg ( a laa! mod /, the system to be solved is 

v = ws mod /, v = ub mod a, v = ub' mod a' 

with deg(u) < (deg(a) + deg(a'))/ 2 , deg(u) < g + (deg(a) + deg(a '))/2 and deg(w) < g. 

We mention one implication that can be helpful in applications. 

Corollary 5.3. Let [o', b] be the Mumford representation of a point P £ J{k), write a' = a^a 
with a squarefree and monic and fix a polynomial s such that s 2 = (—c) deg ^(a — a\fi) mod / 
as above. Let ( u,v,w ) be the solution withw monic and of smallest degree of the system (5.1) 
with the restrictions in (5.2), and let Q £ J(k) be the associated point such that 2 Q = P. 
Then p(Q) = p(a 0 )p(w). 

Proof. This is because according to Proposition 5.1, Q = [do, b\ + [w, r] for some r £ k[x]. □ 

Corollary 5.4. In the situation of Corollary 5.3, we have the following special cases. 

(1) If P = [(£, 77 ) — 00 ] £ 2 J{k) with 77 7 ^ 0, fix s £ k[x) such that s 2 = c(£ — x) mod /. Let w 
be the monic polynomial of smallest degree such that the residue of smallest degree of ws 
modulo f has degree < g. Then the point Q £ J(k) with 2 Q = P that is associated to s 
satisfies 

h{Q) = fM- 

(2) If P = [(£ 1 , 771 ) - (£ 2 , 772 )] £ 2 J(k) with £1 ^ £ 2 and rjj 0 for j £ {1,2}, fix s £ k[x] 
such that s 2 = (x — £i)(x — £ 2 ) mod /. Let w be the monic polynomial of smallest degree 
such that the residue v of smallest degree ofws modulo f has degree < g + l and satisfies 
h 2 u (£i) + ^i^(£ 2 ) = 0. Then the point Q £ J(k ) with 2 Q = P that is associated to s 
satisfies 

r{Q) = fM- 

Proof. This follows directly from Corollary 5.3, using that d — 1 (in the notation of Propo¬ 
sition 5.1) in both cases and that u has to be constant. In the first case, the congruence 
v = ub mod a is redundant, and the system reduces to just v = ws mod /. In the second 
case, the congruence v = ub mod a is equivalent to the condition 77 2 n(£i) + r/i 7 ;(£ 2 ) = 0 . □ 
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6 . A CONCRETE EXAMPLE 


In this section we use the approach described above to show the following result. 


Theorem 6 . 1 . Assuming GRH, the only integral solutions of the equation 

y 2 — y = x 21 — x 


have x G {—1, 0,1}. 


We remark that / = 21 is the smallest odd exponent such that our method can be successfully 
applied to determine the set of integral points on the curve y 2 — y = x l — x. One can check 
that for l G {5, 7, 9,11,13,17} the 2-Selmer rank of the Jacobian is > g = (/ — l)/2, and for 
l G {15,19}, the map from SeR J to J(Q 2 )/ 2 J(Q 2 ) is not injective. 

We also note that all these curves have a pair of rational points with x = 1/4; these points are 
of the form (p(2u) for a parameterization (p of the residue disk at infinity, where a G Z 2 X . For 
such a point P, [P — 00 ] has nontrivial image in J(Q 2 )/ 2 J(Q 2 ), and this image is contained 
in the image of the Selmer group. On the other hand, by Corollary 3.9, the value of q 
on the residue disk of 00 is given by the values at points of the form ip(2u), so q(ioo(D )) 
will meet the image of the Selmer group non-trivially for every disk D around infinity, no 
matter how small. This implies that our approach cannot be used to show that 00 is the 
only rational point 2-adically close to 00 . This is why we restrict to integral points in the 
statement of Theorem 6.1. The result is in fact stronger: it covers all rational solutions 
whose ^-coordinate has odd denominator. 

In principle, one could try to deal with the residue disk at infinity using T = ( 7 ) where 
7 = Kl’^ + 2 ^ 1 ) — 00 ], since the three (known) rational points in the disk map into this 
group. Unfortunately, it turns out that q(ioo(P 4 )) meets the image of the Selmer group 
outside the image of T, so that we cannot conclude. Here P 4 = y?(4) denotes a point with 
x-coordinate 1/4 2 (we can use a parameterization of the disk at infinity whose x-coordinate 
is given by t~ 2 )\ i 00 (P 4 ) + 67 = 2 3 Q with tt 2 (Q) G a(Sel 2 J ) \ vr 2 (r). 

Proof. Let C denote the curve defined by the equation y 2 — y = x 21 — x, and let J be its 
Jacobian. Note that C is isomorphic to the curve given by y 2 = 4x 21 — 4x + 1 =: /(x); let 
L = Q[x]/ (/). We compute a group S G L a containing SeR J using the algorithm described 
in [StoOl]. The discriminant of / is —2 40 times the product of six distinct odd primes. This 
implies that 2 is the only ‘bad’ prime for 2-descent, so that the image of the Selmer group is 
contained in L({2}, 2). Since L is totally ramified at 2, we can reduce this to S' = L(0, 2) (if 
£ represents an element of L({ 2 }, 2 ) and -/W/q(£) is a square, then the ideal generated by £ 
must be a square). The class group of L turns out to be trivial, so that L(0, 2) = Of], but we 
do not need this fact. We do need to compute L(0, 2) and explicit generators of it, though. 
This is where we use GRH to make the computation feasible in reasonable time. We check 
that the map S —> Lf is injective. 

The curve has good reduction mod 2 , and J(F 2 ) and J(Q 2 ) both have no elements of order 2 . 
Up to the action of the hyperelliptic involution, there are two residue disks with 2-adically 
integral x-coordinates; we can center them at the rational points ( 0 , 0 ) and ( 1 , 0 ), respectively. 
By [StoOl, Lemma 6.3], it follows that the image in Lf of a point P G C(Q 2 ) with x(P) G Z 2 
depends only on x mod 4. We check that the image in Lff of the points with x(P) = 2 mod 4 
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is not in the image of S. This shows that any (2-adically) integral point P G C(Q) must 
have x(P) = —1, 0 or 1 mod 4. We consider each of the corresponding (pairs of) half residue 
disks separately. Let Po be one of the points (—1,0), (0,0) or (1,0) on C and let D be the 
disk around P 0 consisting of points P with x(P) = x(Pq) mod 4 and y(P) = 0 mod 2. By 
Corollary 3.9 (note that the disk D corresponds to m > 2 in terms of the maximal residue 
disk around P 0 ), we have 

Q^p 0 ( d )) = 9(Jp 0 (+(4Z 2 x ))), 

where ip is a parameterization of the residue disk containing Po such that <£>(0) = Po and 
D = +(4Z 2 ). By Lemma 3.1 and since v(ip 0 (ip(4u))) = 1 for some u G Z 2 (as becomes 
apparent in the course of the computation), it is sufficient to consider </?(4) and </?(— 4). So 
we compute the (unique) half of ip 0 (P) for each point P G D such that x(P) = x(Po) ±4; we 
find that its image in Lff is nontrivial (and does not depend on the sign) and is not contained 
in the image of S. By Theorem 2.6 this now implies that D D C(Q) = {Po}, f° r each of the 
three points. So we obtain the result that 

C(Q) n c( z 2 ) = {(-i, o), (-1, l), (o, o), (o, l), (l, o), (l, i)} 

as claimed. □ 


7. An application to Fermat’s Last Theorem 

In this section we apply the criterion that is given by the algorithm in Section 4 to a certain 
family of hyperelliptic curves that are related to Fermat curves. This leads to a criterion 
for Fermat’s Last Theorem to hold for a given prime p. Of course, FLT has been proved in 
general by Wiles [Wil95, TW95], so this will not produce a new result. On the other hand, 
it shows that the method does work in practice. In the next section, we will deal with a 
similar family of curves that are related to certain generalized Fermat equations; our method 
applies again and does indeed solve some new cases of generalized Fermat equations. 

Consider 

Cr. y 2 = f(x) ■= Ax 1 + 1 

with / = 2p +1. This curve has good reduction at 2, since it is isomorphic to y 2 + y = x l . The 
reduction has three F 2 -points, so there are three residue classes in Cj(Q 2 ). We also note that 
Ci has the three obvious rational points oo, (0,1) and (0, —1) and that [(0, ±1) — oo] G J/(Q), 
where Ji denotes the Jacobian of C), is a point of odd order l. We note that J;(Q 2 ) and J;(F 2 ) 
contain no points of order 2. 

Corollary 7.1. Let ip\ Dq —>■ D C Ci(Q 2 ) be a parameterization of one of the three residue 
disks ofCi(Q 2 ), with +(0) being oo or (0,±1). Then 

. flWcl 2ZJU4ZJ)))U{0} (M0)=(0,±1); 

L(*=oM2ZJ)))U{0} (MO) = 00. 

Proof. This is simply Corollary 3.9 specialized to the case at hand. □ 

We now want to find < 7 (ioo(C)(Q 2 ))) hr terms of its image in Lff as in Algorithm 4.1. To do 
this, we need a basis for the latter group. We first note that / is irreducible over Q 2 , so L 2 
is a held. Let A = 2 1 ^, then L 2 = Q 2 (A) is totally and tamely ramified and 9 = — A~ 2 is 
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a root of /. Clearly, 2 = Ah Note that an element of the form 1 + 4a A = 1 + a\ 2l+1 with 
a E Ol 2 is always a square in L 2 (the power series for y/1 + x converges when the valuation 
of x exceeds that of 4). Furthermore, 

(1 + A n ) 2 = 1 + A 2n + X n+l = (1 + A 2n )(l + X n+l + ...), 


which allows us to eliminate factors of the form 1 + X 2n for n < l — 1 when working modulo 
squares. In this way, we find that the following elements represent an F 2 -basis for Lf: 

A, 1 + A, 1 + A 3 , ..., 1 + X 2n+1 , ..., 1 + A 2 '" 3 , 1 + A 2 '" 1 , 1 + A 2 '. 


Lemma 7.2. The image of q , (* 0 o(Q(Q 2 ))) w Lf consists of the classes of 

1, 1 + X l+2 , 1 + A 2 '- 1 , JJ(1 + X l+2k ). 

k> 1 


We let Z denote the set consisting of the three nontrivial classes in this image. 

Proof. We first consider the residue disk around 00 . By Corollary 7.1, it is sufficient to 
fold + 2 (<7 (loo (+(!)))) for t = 2u with a 6 Z 2 X . One choice of tp is 

(p(t) = (r 2 , 2 i -/ (l + 2 ~H 21 - 2 ~ 7 t Al ± ...)). 

Then /i 2 (ioo(+(2w))) is the class of (2w) -2 + A' 2 in Lff. We have 

(2u) -2 + A" 2 = (2n)" 2 (l + u 2 X 2l ~ 2 ) ~ 1 + X 2l ~ 2 ~ 1 + A 2/_1 , 
where ~ denotes equivalence mod squares, by the relation 

1 ~ (1 + A /_1 ) 2 = 1 + A 2 '" 2 + A 2 '" 1 ~ (1 + X 2l ~ 2 )(l + X 21 - 1 ). 

We conclude that (specifying elements of Lff using representatives in Lf) 

/i 2 (g(*oo( J Doo))) = {i,i + A 2i - 1 }. 

(Compare [PS14, Lemma 10.2], which says that the image of the residue disk at infinity 
under the p log map has just one element.) 

Now we consider the residue disk 11(0,1) around (0,1). If P = (£, 77 ) G C'z(Q 2 ) has integral 
x-coordinate, then we must have £ G 2Z 2 (otherwise the right hand side is 5 mod 8 and 
therefore not a square). We can parameterize 11(0,1) by 

(p(t) = (t, y/l + 4 t l = 1 + 2 t l - 2 1 21 + ...). 

Then /i 2 (i 0O (^(2u))) is the class of 

2 u + A -2 = A _2 (l + A l+2 u) ~ 1 + X l+2 ] 

the latter relation holds when u is a unit. By Corollary 7.1, we also need to find the image 
under q of points given by t G 42^, so t = 4u with u G Z,. In this case (recall that 
6 = -A" 2 ) 

4 u-9= (26* 9+1 ) 2 (l - 4 u/9) = s(9) 2 
where s G Q 2 [x] is a polynomial of degree <1 — 1 such that 

s(0) = 2 9 9+1 y/l-4u/9 

= 2 (6 9+1 - 2 u9 9 - 2 u 2 9 9 ~ x - 4 u z 9 9 ~ 2 -...). 
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The coefficients of 


Vl-4x = ^2 2n (-l) r 


1/2 


n 


x' 1 = 


1 • 3 • 5 • • • (2n - 3) 


i — 2 n ———— 

^ n\ 


-x 


n =0 x 7 n=l 

(except for the constant term) all have 2-adic valuation at least 1 (since i> 2 (n!) < n — 1) and 
0~ l = -4 0 29 , so 

^s(x) = x 9+1 — 2ux 9 — 2u 2 x 9 ~ 1 — ... — c g+ iu 9+l mod 8Z 2 [x], 


where c g+ \ denotes the coefficient of x 9+1 in —\/l — 4x. Let Wq(x) denote the partial sum of 
the power series of (1 — 4up to and including the term with x 9 , and set 

w(x) = x 9 w 0 (l/x) = x 9 + 2ux 9 ~ x + 6 u 2 x 9 ~ 2 — _ 


Then 

w(x)s(x) = 2x 2g+1 + (terms up to x 9 ) mod 8Z 2 [x], 

so w(x) = w(x) mod 8Z 2 [x], where w(x) is the monic polynomial of degree g such that 
w{9)s(9) 6 Q 2 + Q 2 9 + ... + Q 2 9 9 . Let Q e Ji{ Q 2 ) denote the point such that 2 Q = 
[(4 u, *) — 00 ]. By Corollary 5.4, the image of Q in L ° is given by the class of 


(—1 ) 9 w{6) ~ (—1 ) 9 w{9) 

= {-6) 9 (l + 2u\ 2 + 6u 2 \ 4 + 20w 3 A 6 + 70n 4 A 8 + .. .) 
~ 1 + 2A 2 + 6A 4 + 20A 6 + 70A 8 + ... 

OO 

~1 + J]a ,+2 ‘ 

k =1 

~ (1 + A z+2 )(1 + A z+4 )(1 + A z+8 ) •••(! + A z+2fc ) 


where the product can be truncated as soon as 2 k > l. (We have used that the valuation of 
the coefficient of x n in (1 — 4x) -1 / 2 is 1 precisely when n is a power of 2.) □ 


We can generalize this result to certain curves of the form y 2 = 4x l + A. Let A e Z with 
A = 1 mod 8 and consider 

Ci ,a '■ y 2 — 4x l + A. 

Then C/a is Q 2 -isomorphic to Ci = Ci : 1 , since A is a square and an 7th power in Q 2 . I 11 
particular, we still have L 2 = Q 2 (A), where now L = Q[x]/(4x i + A ), and the image of 
<?(*oo(CyA(Q 2 ))) in is the same as for C), namely Z U {1}. 

Proposition 7.3. Let A e Z satisfy A = 1 mod 8; consider the curve C^a '■ y 2 = 4x l + A 
over Q with l = 2g+l > 5, with Jacobian Ji a- Let L = Q[x]/(4a; z + 71) and L 2 = L<S)q Q 2 = 
Q 2 (A) with A = 2}! 1 . If 

(1) the canonical map Sel 2 J\,a > L D —y Lff is injective and 

(2) its image does not meet Z, 

then Cz^Q) = { 00 } if A is not a square, and C^a{ Q) = { 00 , (0, a), (0, —a)} if A = a 2 . 
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Proof. We apply Theorem 2.1 with A = J^a, i = i 0 o, T = {0} and X = C/a(Q 2 )- 
By Lemma 7.2, Z is the set of nontrivial images in Lf of elements in g(ioo(Q,. 4 (Q 2 )))- 
So the assumptions here match the assumptions of Theorem 2.1, and we conclude that 
^oo(Cpa(Q)) C {0} = Jz,yi(Q)tors- Since C\a has good reduction at 2 and </z,ji(Q)[2] is trivial, 
we find that </z,A(Q)tors injects into Jz^QF^); in particular, Ci : a{ Q) will inject into C/a(F 2 ), 
which has three elements. Since each residue class in C/a(Q 2 ) contains exactly one torsion 
point (namely, 00 , (0, a) and (0, —a), respectively, where a is a square root of A in Q 2 ), the 
claim follows. □ 

It is known that Fermat’s Last Theorem holds for a prime p > 3 if (and only if) the curve 
y 2 = Ax p + 1 has only the obvious three rational points. So Proposition 7.3 gives a criterion 
for FLT for exponent p to hold, in terms of the 2-Selmer group of the Jacobian of this curve. 
We can deduce the following criterion. 

Proposition 7.4. Let p > 5 be a prime and set L = Q(2 1 / p ) and L 2 = Q 2 (2 1//p ). Let 
r: Of] —>■ Of denote the canonical map. If 

( 1 ) p 2 | 2 P_1 - 1 , 

(2) the class number of L is odd, and 

(3) irn(r) fl Z = 0 (where Z is as above), 

then Fermat’s Last Theorem holds for the exponent p. 

Proof. Let f(x) = x p + 1/4. Then f(x — 1/4) = x p mod pZj p [x\, and the first assumption 
p 2 | 2 P ~ 1 — 1 implies that the constant term is not divisible by p 2 . This in turn implies that 
C p : y 2 = Ax p + 1 is regular over Z p and the component group of the Neron model of the 
Jacobian J of C over Z v is trivial. By [StoOl, Lemma 4.5] or [SS04, Proposition 3.2] (which 
applies equally to abelian varieties), the only ‘bad prime’ for the computation of Sel 2 J p is 2. 
By the second assumption, the class group of L has odd order and therefore trivial 2-torsion. 
Together, the previous two sentences imply that the isomorphic image of Sel 2 J p in L n is 
contained in the subgroup generated by Of and the image of 2 1 ' p . The map to Lf decomposes 
as a direct sum of the map r and an isomorphism of 1-dimensional F 2 -vector spaces (since 
the class of A = 2 1//p is not contained in the image of the (global or 2-adic) units). We note 
that r is injective: assume that u G Of is a square in Ol 2 . Since u is a unit, the extension 
L(y/u)/L is unramified at all places not dividing 2 or 00 . The extension is unramified at 00 , 
since N l /q(u ) must be 1 (it is a 2-adic square by assumption), so the image of u under 
the unique real embedding of L is positive. Finally, it is unramified (and even split) at the 
prime above 2. Since the class number is odd, there are no nontrivial everywhere unramified 
quadratic extensions of L , hence u must be a square. This implies that Sel 2 J —> Lf is 
injective. Since Z is contained in Of 2 , assumption (3) implies that r(Sel 2 J)(lZ = 0 as well. 
We can now apply Proposition 7.3 and conclude that C'p(Q) = { 00 , (0,1), (0, —1)}. 

Now let F p : u p + v p + w p = 0 denote the projective Fermat curve of exponent p. Then there 
is a non-constant morphism 

/ uv vlP \ 

V ; : Fp — >C P , (u:v:w) 1 —>(z,s/)=(- -,2— + l). 

V w z w p J 
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So if P = [u : v : w) G F p (Q), then either w = 0 (if ^(P) = oo) or uv = 0 (if V’(P) = (0, ±1)), 
so P is a trivial point. □ 


Note that by Remark 4.2, the criterion formulated in the proposition above is equivalent to 
what we would obtain when using the 2-Selmer group Seh J p instead of O 

We can improve on Proposition 7.4 a bit. Note that if u,u' G CR are units with u positive 
(in the unique real embedding of L), then the Hilbert symbol (u,u') v is 1 for all places v 
distinct from the place A above 2. The product formula for the Hilbert symbol implies that 
(u, u')\ = 1 as well. There are the two positive global units A — 1 and (1 — A + A 2 )/(l + A). 
Multiplying the latter by the square (1 + A) 2 , we obtain 1 + A 3 . So if u G Of 2 and we can 
show that (A — 1,u)a = — 1 or (1 + A 3 ,w)a = —1, then u cannot be in the image of Of. 

Lemma 7.5. We work in L 2 = (Q> 2 (A) with X 1 = 2 as before. If 1 < m < l, then we have 
(A — 1,1 + A 2i_m ) A = —1 and 


(1 + A 3 ,1 + \ 2l ~ m ) 


A — 


if 3 f rn, 
—1 if 3 | m. 


Proof. We first consider A — 1. Note that (—1,1 + X 21 m )\ = (—1,1 + 2 21 m ) 2 = 1, so we can 
as well work with (1 — A, 1 + X 2l ~ m )\. We have for n > (/ — l)/2 that 

(1 + A n ) 2 - (1 - X)(X n ) 2 = 1 + A 2n+1 + X l+n ~ (1 + A 2 " +1 )(l + X l+n ) 

is a norm from L 2 (\/l — A), which implies that 

(1 - A, 1 + A 2Z_m ) A = (1 - A, 1 + y 2Z -( m + 1 )/ 2 ) A 

when 1 < m < l is odd. For even m, we have 

1 ~ (l + X l ~ m/2 ) 2 = 1 + X 2l ~ m + X 2l ~ m/2 ~ (1 + X 2l ~ m )(l + 

which implies that 

(1 - A, 1 + A 2Z_m ) A = (1 - A, 1 + A 2Z_m/2 ) A 
when 1 < m < l is even. An easy induction then shows that 

(1 — A, 1 + A 2 * -m ) A = (1 — A, 1 + A 2i_1 ) A 

for all 1 < m < l. Finally, this last symbol is —1: an element is a norm from L 2 {yJ 1 + A 2Z_1 ) 
if and only if it has the form x 2 — (1 + A 2/_1 )|/ 2 . Substituting ( x,y ) t— (X^x + y,y ) and 
dividing by X 2l ~ 2 , we see that norms have the form x 2 + Xxy — Xy 2 . If the norm is integral, 
then x and y must be in Ol 2 as well. Considering the equation 

1 — A = x 2 + Xxy — X y 2 

modulo A 2 , we see that it has no solution. 

Now we consider 1 + A 3 . For even 1 < m < l we have in the same way as above that 

(1 + A 3 ,1 + X 2l ~ m )\ = (1 + A 3 ,1 + A 2i-m / 2 ) A . 

For n > (/ — l)/2, we have the norms 

(1 + A n ) 2 - (1 + A 3 )(A n ) 2 = 1 - A 2n+3 + X l+n ~ (1 + A 2n+3 )(1 + X l+n ), 


(1 + A 3 ,1 + X 2l ~ m )\ = (1 - A, 1 + y 2 M m + 3 )/ 2 ) A 
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leading to 




when 1 < m < l is odd. By induction again, we see that 


(1 + A 3 ,1 + X 2l ~ m ) x = 


(1 + A 3 , 1 + X 21 3 )a 
(1 + A 3 ,1 + X 2l ~ 3 )\ 


if 3 \ m, 
if 3 I m. 


Let 06 L 2 satisfy a 2 —a+X 2 = 0 (such a exist by Hensel’s Lemma). Then l 2 + A-l-a — A-a 2 = 
1 + A 3 is a norm from L 2 (\/l + A 2 * -1 ), so the first symbol is 1. In a similar way as before, 
we see that norms from L 2 (\/l + X 2l ~ 3 ) are of the form x 2 + A 2 xy — Xy 2 . A consideration 
modulo A 4 shows that this can never equal 1 + A 3 , so the second symbol is — 1 . □ 


Corollary 7.6. Let p > 5 be a prime and set L = Q(2 1//p ) and L 2 = Q 2 (2 1/,p ). As before, 
r: Of] —> Of 2 denotes the canonical map. If 


( 1 ) p 2 \ 2 P_1 — 1 , 

(2) the class number of L is odd, and 

(3) 4 { |_log 2 pJ or z ^ iin(r), where z is the last element listed in Lemma 1.2, 


then Fermat’s Last Theorem holds for the exponent p. 


Proof. We only have to show that the third condition here implies that im(r) fl Z — 0. By 
Lemma 7.5, we have (with l = p) 

(A - 1,1 + A p+2 ) a = (A - 1,1 + A 2p_1 ) A = -1, 

which implies that the first two elements of Z can never be images of global units. We also 
have (A — 1, z)\ = (— 1 )L 1 o S 2 pJ ; so we can a l so ru j e out ^ when [log 2 pJ is odd. So we can now 
assume that Llog 2 pj = 2 mod 4. Then by Lemma 7.5 again, we find that (1 + A 3 , z)\ = — 1 
(note that every other term in the sequence (p — 2 k )i c is divisible by 3), and we can again 
rule out z. □ 

Corollary 7.7. FLT holds for exponents 5, 7, 11, 13, 17, 19 and, assuming the Generalized 
Riemann Hypothesis, also for exponents 23, 29, 31, 37, 41, 43, 47, 53 and 59. 

Proof. We use Magma [BCP97] to check the assumptions (assuming GRH where indicated 
to speed up the computation of the class group). It turns out that the class group of Q(2 1//p ) 
is trivial for all primes considered. We note that p = 17,19, 23, 29, 31 are the only primes p 
up to 59 that satisfy 4 | L^°g 2 i°J; so we n eed a basis of Of only for these primes; for the 
remaining ones it suffices to know that the class number is odd. □ 

Remark 7.8. Computations show that the class group of Q(2 1 ^ ?l ) is trivial for all n < 50 
(assuming GRH for n > 20), regardless whether n is prime or not. According to class group 
heuristics [VE10, Section 4.1], the 2-torsion in the class group of a number held with unit 
rank u should behave like the cokernel of a random linear map F 2 + “ —> F 2 for large n (at 
least in absence of special effects leading to systematically occurring elements of order 2 ). 
Such a map is surjective with probability > 1 — 2~ u , so noting that u — (p — l)/2 in the 
case of interest, the ‘probability’ that the class number of L is odd for all p is > 1 — 2 ~ 29 
(assuming we know it for p < 59). See also [HSV16]. 

We also remark that when the first condition p 2 j 2 P ~ 4 — 1 is not satisfied, the criterion 
does still work when we replace Of by the larger subgroup L({p}, 2) of L n represented by 
elements generating ideals of the form J 2 / 2 with J 2 supported on the ideals above p. In 
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this case, however, we also have to check that the map to L ° is injective. A similar remark 
applies to the case when the class group does have even order. 

8. An application to certain generalized Fermat equations 
Recall the following statement. 

Proposition 8.1 (Dahmen and Siksek, [DS14, Lemma 3.1 and Proposition 3.3]). Let p be 
an odd prime. If the only rational points on the curve 

C' p : 5 y 2 = 4x p + 1 

are the obvious three (namely oo, ( 1 , 1 ) and ( 1 , — 1 )), then the only primitive integral solutions 
of the generalized Fermat equation x 5 + y 5 = z p are the trivial ones: 

(x,y,z) = ±(0,1,1), ±(1,0,1), ±(1, —1,0). 

Dahmen and Siksek show that this is true when p G {7,19} and also when p G {11,13}, 
assuming GRH. We will use our approach to extend the range of primes p for which it can 
be shown that C'(Q) has only the obvious three rational points. 

So we now consider the curves C[, with l — 2g + 1 odd, but not necessarily prime. The 
corresponding etale algebra is still L = Q(A) with A = 2 1 ! 1 (since C[ is the quadratic twist 
by 5 of y 2 = 4x l + 1), but the descent map is now given on a point on the Jacobian with 
Mumford representation [a,b] by the class of —5 a{6) (instead of —a{6)) if the degree of a is 
odd. 

It is still the case that C[ has good reduction mod 2 (replacing y by 2y +1 and dividing by 4 
gives 5 (y 2 + y) = x l — 1 ) and that there is no nontrivial 2 -torsion in J/((Q> 2 ) nor i n J/(F 2 ), 
where J[ denotes the Jacobian of C[. We therefore have a statement similar to Corollary 7.1. 
Note that we have again three residue disks, centered at oo, (1,1) and (1, —1), respectively. 

If Pq G C[{ Q), then we write Dp 0 for the residue disk centered at Pq. We let pp 0 '. D 0 —y Dp a 
be a parameterization of Dp 0 such that </?(0) = Pq (and such that ioo o is odd). 

Corollary 8.2. We have 

q(ioo(Doo)) = q(i 00 (^ 00 ( 2^2 ))) U {0} 

9 (^( 1 , 1 )(-D(i,i))) = qif( 1 , 1 )(^( 1 , 1 )( 2^2 U4Z2)))U{0} 

Proof. This again follows from Corollary 3.9. □ 

The main difference with the case discussed in the previous section is that, if l > 7, the two 
points (1, ±1) do not map to points of finite order in J[ under the embedding that sends 00 
to zero. So from now on, we assume that l > 7. Note that the rank of J' b { Q) is zero (the 
2-Selmer group is trivial), so it is almost immediate that C^Q) = { 00 , (1, ±1)}. 

We first consider the image of C' / , (Q 2 ) in J/(Q 2 )/ 2 J/(Q 2 ) under q o i^. 

Lemma 8.3. In terms of representatives in Lf, we have 

(1) /i 2 (g(Lx>(Ax>))) = {1,1 ± A 2 '" 1 }. 

(2) /^ 2 (< 7 (hx>(-D(i,i)))) = {5(1 + A 2 ), 5(1 ± A 2 + X l+2 )}. 
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Proof. By Corollary 8.2, we know that q(ioo{Doo)) = q{i 00 (^ 00 ( 2 ^ 3 ))) U {0}, where we can 
choose Lpoo such that x(ipoo(t)) = 5 t~ 2 . So let u G TLf , then // 2 (*oo(<A»( 2 m))) is represented 
by 

2 / „ ,2 


5 


5 [ + A " 2 ) = I — ) I 1 + 


4u 2 


5 


2 u 


4 u 2 


>-2 


1 + A 


21—2 


1 + A 


21 — 1 


This proves (1). 

Now let P G ZA(i i). We can choose <^( 1 , 1 ) such that x((^(i i i)(t)) = 1 + t. If m G Z£, then 
^ 2 (^ 00 (^( 1 , 1 ) (2w))) is represented by 

5(1 + 2u + A" 2 ) ~ 5(1 + A 2 + mA' +2 ) ~ 5(1 + A 2 + A i+2 ), 

and for any u G Z 2 , /i 2 (^00 (^( 1 , 1 ) (4u))) is represented by 

5(1 + 4u + A -2 ) ~ 5(1 + A 2 + mA 2 * +2 ) ~ 5(1 + A 2 ). 

This proves (2). □ 


Now we consider the embedding i(i.i). 

Lemma 8.4. In terms of representatives in Iff, we have 

^ 2 (q(i(i,i) (-0(1,1)))) = {1,1 + A i+2 /(l + A 2 ), a, a'}, 

where a = /i 2 (Q) for the point Q G J/(Q 2 ) such that 2 Q = 11 )(4) and a 1 = /i 2 (£/) where 

2<7 = ^ (1>1) (-4). 

Proof. We make use of Corollary 8.2 again, which tells us that it suffices to consider points P 
with x-coordinates 1 + 2u or 1 + 4 u, where mgZ 2 x . If x = 1 + 2 m, then by the computation 
in the proof of Lemma 8.3, we have vr 2 (i( lil )(P)) = ^(^(P)) — 7T 2 (z 00 ((1, 1))), which is 
represented by 

\ Z+2 

5(1 + A 2 ) • 5(1 + A 2 + A* +2 ) - 1 + ---. 

1 + 

If x = 1 + 4 m, then i( 11 )(P) is divisible by 2 in .//(Q 2 ), so we have to look at 7 t 2 (<5) where 
2 Q = P, for suitable values of u. Since i(i,i)(P) G K 2 \ K 3 , we have v (*( 1 , 1 ) ( P )) = so 
by Corollary 3.2, 7 t 2 (Q) depends only on u mod 4, so the two values u = 1 and u — — 1 are 
sufficient. □ 


In practice, it appears that cr = a 1 in all cases, which would be implied by the difference of 
the images of any pair chosen from the relevant points being divisible by 4. We know this 
difference is in K 3 , but we did not exclude the possibility that it is only divisible by 2 and 
not by 4. 

We can now formulate a criterion. 

Proposition 8.5. Consider C [: 5 y 2 = Ax 1 + 1, with Jacobian J[, where l = 2g + 1 > 7 is 
odd. Recall that L = Q(2 1 d); let S C L u be a finite subgroup that contains the image of 
Sel 2 J\. Assume that 

(1) the canonical map S L u —>• Iff is injective, and 
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(2) its image does not meet the set Z' consisting of the classes of 

X l+2 


1 + A 


21-1 


1 + 


1 +A 2 ’ 


cr, o 


in Z *2 . 


Then C[( Q) = {cx), (1,1), (1, -1)}. 

In particular, if l = p is a prime, then the generalized Fermat equation x 5 + y 5 = z p has no 
nontrivial coprime integral solutions. 


Proof. Note that Lemmas 8.3 and 8.4 imply that Z' U{1} is the union of the sets Y occurring 
in Algorithm 4.1 when it is applied to the curve C[, so the assumptions imply that the 
algorithm will not return FAIL. (There cannot be any elements in Sel 2 C other than the 
images of the known points, since this would lead to a non-trivial intersection of Z' with the 
image of S .) The set returned by the algorithm can contain at most one point in each 2-adic 
residue disk. Since there are only three such disks, the known points must account for all 
rational points on C[. □ 


Computing o and o' for many values of /, it appears that their images in iff are represented 
uniformly by an infinite product 

(1 + X l+2 )(1 + A z+6 )(1 + A z+8 )(1 + A z+10 )(l + A m4 )(l + A m8 )(l + X l+22 ) 

but it is not obvious which rule is behind the sequence (2, 6, 8,10,14,18, 22,...). However, 
extending it further and consulting the OEIS [OEIS] gives exactly one hit, namely A036554, 
the sequence of ‘numbers n whose binary representation ends in an odd number of zeros’, 
i.e., such that w 2 {n) is odd. So we propose the following. 


Conjecture 8.6. 10 . 2 ( 0 ) (and also /i 2 (<r')) is represented by 


(1 + X l+n ) ~ 1 + 

n>l, 2^2(11) 


\‘ 

rwi + vy 


We give a more concrete version of the criterion, following the considerations of Remark 4.2. 

Corollary 8.7. Assume that l is prime and that l 2 \ 2 l ~ 1 — 1. Then a possible choice of the 
subgroup S in Proposition 8.5 is the subgroup of L({ 5}, 2) consisting of elements mapping 
into the image of J'[( Q 5 ) in iff. In fact, the resulting criterion is equivalent to what would 
be obtained by taking S to be the image o/Sel 2 J[. 

Proof. As in the case discussed in the preceding section, the assumption l 2 \ 2 l ~ l — 1 implies 
that the Tamagawa number at l is 1, so that we can reduce to S = {2,5}. Furthermore, 
since 2 is totally ramified in L and L has odd degree, the norm of any element a G L x 
whose valuation with respect to the prime above 2 is odd will have odd 2-adic valuation and 
cannot be a square. This lets us reduce to L({ 5}, 2). Remark 4.2 now shows that using S is 
equivalent to using Sel 2 J[ in the algorithm. □ 
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We note that it is fairly easy to find S, given L({ 5}, 2), since the image of J[{ Q 5 ) in L 
equals the image of J/(Qs)[2], unless there are elements of order 4 in <//(Q 5 ). We can easily 
exclude this by checking that the images of an Fo-basis of J/(Qs)[2] are independent. 

We carried out the computations necessary to test the criterion of Proposition 8.5 in the 
version of Corollary 8.7. This results in the following. 

Theorem 8.8. For 7 < p < 53 prime, we have (assuming GRH when p > 23) 

CJ(Q) = {oo,(l,l),(l,-l)}. 

In particular, the generalized Fermat equation x 5 + y 5 = z p has only the trivial coprime 
integral solutions. 


9. An ‘elliptic Chabauty’ example 

In this section, we apply our approach to ‘Elliptic Curve Chabauty’. The curve in the 
following result comes up in the course of trying to End all primitive integral solutions to 
the Generalized Fermat Equation x 2 + y 3 = z 25 . It is a hyperelliptic curve over Q of genus 4; 
it can be shown that the Mordell-Wcil group of its Jacobian has rank 4 (generators of a 
finite-index subgroup can be found), so that Chabauty’s method does not apply directly to 
the curve. 

Theorem 9.1. Let C be the smooth projective curve given by the affine equation 

y 2 = 81x 10 + 420x 9 + 1380x® + 1860x 7 + 3060x 6 - 66 x 5 + 3240x 4 - 1740x 3 + 1320x 2 - 480x + 69. 

If GRH holds, then C( Q) consists of the two points at infinity only. 

Proof. As a first step, we compute the fake 2-Selmer set as in [BS09] . We obtain a one-element 
set (this requires local information only at the primes 2, 3 and 29). Using [StoOl, Lemma 6.3], 
we then show that the points in C(Q 2 ) whose image in Lf /Qf is the image of the unique 
element of the fake 2-Selmer set are those whose ^-coordinate has 2-adic valuation < —3. 
This set is the union of two half residue disks (the maximal residue disks contain the points P 
such that V 2 (x(P)) < —2) that are mapped to each other by the hyperelliptic involution, so 
it is sufficient to consider just one of them, say the disk that contains P 0 = 009 , the point at 
infinity such that ( y/x 5 )(Po) = 9. 

The splitting held of the polynomial / on the right hand side of the curve equation contains 
three pairwise non-conjugate subfields k of degree 10 over which / is divisible by a monic 
polynomial g G k[x\ of degree 4. If P is any rational point on C, then it follows that 
g(x(P)) is a square in k (this is because the image of P in the fake 2-Selnrer set is the 
same as that of Pq), so we obtain a point (£,??) G H(k ) with £ G Q (or £ = 00 ) where H 
is the smooth projective curve given by y 2 = g(x). We can parameterize the image of the 
residue disk around P 0 by a pair of Laurent series ((2t) _1 , y/g((2f) -1 )) (where we can take 
the square root to have leading term f~ 2 /4). Since H{k) contains the two points at infinity, 
H is isomorphic to an elliptic curve E over k ; we take the isomorphism so that it sends 
OO! G H(k) to the origin of E. We then obtain a Laurent series £(t) G k((t)) that gives the 
x-coordinate of the image on E of the point whose parameter is t. 
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For the following, we take k to be the held generated by a root of 

a ; 10 + 75x 6 - 50x 5 + 100x 3 + 625x 2 + 1250x + 645; 

the polynomial g and the curves H and E are taken with respect to this held. We next 
compute the 2-Selmer group of E over k. There is exactly one point of order 2 in E(k), 
which means that we have to work with a quadratic extension of k. This is where we use 
GRH, which allows us to find the relevant arithmetic information for this held of degree 20 
faster. The Selmer group has F 2 -dimension 6 (so the bound for the rank of E(k) is 5). We 
check that it injects into E(k 2 )/2E(k 2 ), where k 2 = k<S>q Q 2 ; note that this splits as a product 
of two extensions of Q 2 , both of ramihcation index 2 and one of residue class degree 1 , the 
other of residue class degree 4. 

In the context of our method, we consider the curve that is the (desingularization of) the 
curve over Q in A = Rk/qE (the latter denotes the Weil restriction of scalars) that corre¬ 
sponds to the set of points on H whose x-coordinate is rational. We have E{k 2 ) = A(Q 2 ), so 
we can use arithmetic on E over k and its completions for the computations. We check that 
77-tors = 1 (the map from E{k 2 )[ 2] to E{k 2 )/2E{k 2 ) is injective). By Lemma 3.7, a suitable 
value of m is m = 4, provided 5 > 77.4 in the notation of the lemma. Note that in this 
situation halving points is easy, since doubling a point corresponds to an explicit map of 
degree 4 on the x-coordinate. If P is in our half residue disk, then i(P) + T (where T is the 
point of order 2 in E(k ) = A(Q)) is not divisible by 2, and its image in A(Q 2 )/27l(Q 2 ) is the 
same as that of T. So we only have to determine q(i(P)) for a suitable selection of points P 
in our disk. We write P T for the point corresponding to the parameter r G 2Z 2 . 

We compute Y r = g(i(P r )) for r G {±4, ± 8 , ±16}. Note that this can be done solely in 
terms of the x-coordinate £(r). We find that v{i(P T )) = v 2 (r) — 1 for these values and that 
l± r = Y r . This implies that n m — m — 1 for 2 < m < 4 and that q of the disk in question 
is the union I 4 U Y§ U ±l 6 - bi fact, it turns out that this union is equal to Y$, and we verify 
that Y$ meets the image of the 2-Selmer group only in the image of the global torsion. By 
Theorem 2.6, this then implies that there can be no other point than P$ in our (half) residue 
disk. The claim follows. □ 

We note that the two other possible choices of k also lead to elliptic curves with a 2-Selmer 
rank of 5 (this is unconditional for one of the choices, where the curve E happens to have full 
2 -torsion over k ), but for these other fields, the condition that the image of the disk under q 
meets the image of the Selmer group only in the image of the global torsion is not satisfied. 
We also remark that we have been unable to find five independent points in E{k) (for any 
of the three possible choices of k and E), so that we could not apply the standard Elliptic 
Curve Chabauty method. 

Another application of our ‘Selmer group Chabauty’ approach in the setting of Elliptic 
Curve Chabauty was made in [FNS16]. We use this to show that there are no unexpected 
points on the elliptic curve Xo(ll) defined over certain number fields of degree 12 and such 
that the image under the j-rriap is in Q. This is a vital step in the proof that the only 
nontrivial primitive integral solutions of the Generalized Fermat Equation x 2 ± y 3 = z 11 are 
(x,y,z) = (±3, —2,1). The situation is similar to what happens for the example presented 
here: we can compute the 2-Selmer group of X 0 (ll) over the fields of interest, but we are 
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unable to produce enough independent points to meet the upper bound on the rank, so we 
cannot apply the standard method. 
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